IOC Containment Runbook#
Objective#
Quickly execute containment actions for identified malicious Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes, leveraging available SIEM, SOAR, GTI, and potentially EDR/Firewall tools.
Scope#
This runbook focuses on the immediate containment actions based on confirmed malicious IOCs. It assumes the IOCs have been identified through prior investigation (e.g., alert triage, threat hunting, GTI research).
Inputs#
${IOC_VALUE}: The specific IOC value (e.g., “198.51.100.10”, “evil-domain.com”, “abcdef123456…”).${IOC_TYPE}: The type of IOC (e.g., “IP Address”, “Domain”, “File Hash”).${CASE_ID}: The relevant SOAR case ID for documentation.${ALERT_GROUP_IDENTIFIERS}: Relevant alert group identifiers from the SOAR case.
Tools#
gti-mcp:get_ip_address_report,get_domain_report,get_file_report(Optional: for final reputation check)secops-soar:google_chronicle_add_values_to_reference_list(Example: for adding to SIEM blocklist)secops-soar:post_case_comment(For documentation)(Potentially other SOAR actions for specific integrations like Firewalls, Proxies, EDR)
secops-mcp:search_security_events(To find related activity/endpoints for file hashes)You may ask follow up question (To confirm actions)
Workflow Steps & Diagram#
Receive Input: Obtain
${IOC_VALUE},${IOC_TYPE},${CASE_ID}, and${ALERT_GROUP_IDENTIFIERS}.(Optional) Final Reputation Check: Use the appropriate
gti-mcptool (get_ip_address_report,get_domain_report,get_file_report) for${IOC_VALUE}to confirm malicious reputation before blocking.Confirm Containment Action: Execute
common_steps/confirm_action.mdwithQUESTION_TEXT="Proceed with containment for ${IOC_VALUE} (${IOC_TYPE})?"andRESPONSE_OPTIONS=["Yes", "No"]. Obtain${USER_RESPONSE}.Execute Containment (If Confirmed):
If
${USER_RESPONSE}is “Yes”:If
${IOC_TYPE}is IP Address or Domain:Add
${IOC_VALUE}to the appropriate blocklist reference list in Chronicle SIEM usingsoar-mcp_google_chronicle_add_values_to_reference_list. (Requires knowing the correctreference_list_name, e.g., “IP_Blocklist”, “Domain_Blocklist”). Let the action status beCONTAINMENT_ACTION_STATUS.(Optional: Execute actions via specific Firewall/Proxy SOAR integrations if available).
If
${IOC_TYPE}is File Hash:Search SIEM (
secops-mcp_search_security_events) for events involving the file hash (target.file.md5 = "${IOC_VALUE}"or similar) to identify affected endpoints.(Optional: Execute EDR actions like file quarantine/deletion on identified endpoints via specific EDR SOAR integrations if available). Let the action status be
CONTAINMENT_ACTION_STATUS.
Document Action: Execute
common_steps/document_in_soar.mdwith${CASE_ID}andCOMMENT_TEXT="Containment action attempted for IOC: ${IOC_VALUE} (Type: ${IOC_TYPE}). Action: [Blocked/EDR Action Attempted]. Status: ${CONTAINMENT_ACTION_STATUS}". Obtain${COMMENT_POST_STATUS}.
If
${USER_RESPONSE}is “No”:Document Action: Execute
common_steps/document_in_soar.mdwith${CASE_ID}andCOMMENT_TEXT="Containment action aborted by analyst for IOC: ${IOC_VALUE} (Type: ${IOC_TYPE}).". Obtain${COMMENT_POST_STATUS}.
Completion: Conclude the runbook execution.
sequenceDiagram
participant Analyst
participant AutomatedAgent as Automated Agent (MCP Client)
participant GTI as gti-mcp
participant ConfirmAction as common_steps/confirm_action.md
participant SOAR as secops-soar
participant SIEM as secops-mcp
participant DocumentInSOAR as common_steps/document_in_soar.md
%% EDR/Firewall conceptual participants
participant EDR as EDR (Conceptual)
participant Firewall as Firewall (Conceptual)
Analyst->>AutomatedAgent: Start IOC Containment Runbook\nInput: IOC_VALUE, IOC_TYPE, CASE_ID, ALERT_GROUP_IDS
%% Step 2: Optional Reputation Check
opt Reputation Check
alt IOC_TYPE is IP Address
AutomatedAgent->>GTI: get_ip_address_report(ip_address=IOC_VALUE)
GTI-->>AutomatedAgent: IP Report (Confirm Malicious)
else IOC_TYPE is Domain
AutomatedAgent->>GTI: get_domain_report(domain=IOC_VALUE)
GTI-->>AutomatedAgent: Domain Report (Confirm Malicious)
else IOC_TYPE is File Hash
AutomatedAgent->>GTI: get_file_report(hash=IOC_VALUE)
GTI-->>AutomatedAgent: File Report (Confirm Malicious)
end
end
%% Step 3: Confirm Action
AutomatedAgent->>ConfirmAction: Execute(Input: QUESTION_TEXT="Proceed...?", RESPONSE_OPTIONS=["Yes", "No"])
ConfirmAction-->>AutomatedAgent: Results: USER_RESPONSE
%% Step 4: Execute Containment (If Confirmed)
alt USER_RESPONSE is "Yes"
Note over AutomatedAgent: Containment_Action_Status = "Attempted"
alt IOC_TYPE is IP Address or Domain
Note over AutomatedAgent: Determine Reference List Name (e.g., "IP_Blocklist")
AutomatedAgent->>SOAR: google_chronicle_add_values_to_reference_list(case_id=CASE_ID, ..., values=IOC_VALUE)
SOAR-->>AutomatedAgent: Blocklist Add Result -> Update Containment_Action_Status
opt Firewall/Proxy Integration Available
AutomatedAgent->>Firewall: (Conceptual) Block IOC_VALUE
Firewall-->>AutomatedAgent: Block Result -> Update Containment_Action_Status
end
else IOC_TYPE is File Hash
AutomatedAgent->>SIEM: search_security_events(text="Events with hash IOC_VALUE")
SIEM-->>AutomatedAgent: Events (Identify Endpoints E1, E2...)
opt EDR Integration Available
loop For each Endpoint Ei
AutomatedAgent->>EDR: (Conceptual) Quarantine/Delete Hash IOC_VALUE on Ei
EDR-->>AutomatedAgent: EDR Action Result -> Update Containment_Action_Status
end
else
Note over AutomatedAgent: Containment_Action_Status = "Manual EDR Action Needed"
end
end
%% Document Action (Yes case)
AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT="Containment action attempted...")
DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS
AutomatedAgent->>Analyst: attempt_completion(result="IOC Containment runbook complete for IOC_VALUE. Action attempted.")
else USER_RESPONSE is "No"
%% Document Action (No case)
AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT="Containment action aborted...")
DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS
AutomatedAgent->>Analyst: attempt_completion(result="IOC Containment runbook aborted for IOC_VALUE.")
end
## Rubrics
The following rubric is used to evaluate the execution of this **Triage/Response** runbook by an LLM agent.
### Grading Scale (0-100 Points)
| Criteria | Points | Description |
| :--- | :--- | :--- |
| **Context & Enrichment** | 25 | Correctly extracted entities and enriched them with relevant context (GTI, SIEM). |
| **Analysis & Decision** | 25 | Analyzed the enriched data to make a sound decision (FP/TP, Escalate/Close). |
| **Action Execution** | 20 | Performed the required response actions (e.g., isolation, containment) correctly. |
| **Documentation** | 15 | Clearly documented findings and actions in the case/ticket. |
| **Operational Artifacts** | 15 | Produced required artifacts: Sequence diagram, execution metadata (date/cost), and summary. |
### Evaluation Criteria Details
#### 1. Context & Enrichment (25 Points)
- **10 pts**: Accurately extracted key entities (IPs, users, hashes) from the input.
- **15 pts**: Performed necessary enrichment (e.g., `enrich_ioc`) to gather reputation and history.
#### 2. Analysis & Decision (25 Points)
- **15 pts**: Interpreted the context correctly to determine the nature of the alert.
- **10 pts**: Reached a logical conclusion or next step (e.g., "Escalate to Tier 2" or "Isolate Host").
#### 3. Action Execution (20 Points)
- **10 pts**: Called the correct tools to perform response actions (if applicable) or investigative steps.
- **10 pts**: Verified the success of actions or handled errors appropriately.
#### 4. Documentation (15 Points)
- **15 pts**: Posted a comprehensive comment or update to the SOAR case summarizing the triage.
#### 5. Operational Artifacts (15 Points)
- **5 pts**: **Sequence Diagram**: Produced a Mermaid sequence diagram visualizing the steps taken.
- **5 pts**: **Execution Metadata**: Recorded the date, duration, and estimated token cost.
- **5 pts**: **Summary Report**: Generated a concise summary of the actions and outcomes.