Use Case #5: Scan/Remediate/Rollback Endpoint

Use Case #5: Scan/Remediate/Rollback Endpoint


For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported threat and performs mitigation actions on involved IOCs to help contain/mitigate the identified threat. 

For all mEDR customers, this use case by default comes with partial implementation out of the box through our playbook automation. However, any changes or additional automation setups might need to be requested and worked out with the SOAR team. 

In addition, to the default implementation within EDR playbooks, this automation use case can also be deployed in other XDR alerts to include details from all leveraged tools for any potential threats within an environment. This enables the SOC to correlate activity from the XDR platform and take preemptive actions on related endpoints using an EDR solution. 

Typical Actions

  1. Initiate full-disk scan
  2. Remediate threat on endpoint
  3. Initiate rollback
  4. Kill/quarantine threat

Default Playbooks

  1. EDR Playbooks
  2. XDR: Trojan Activity
  3. XDR: External Malware Activity

Base Workflow



What is Needed 

  1. API Root 
  2. API Key 
  3. Any other credentials depending on the tool 

Available Vendors 

  1. SentinelOne 
  2. CrowdStrike Falcon 
  3. Microsoft Defender for Endpoint 
  4. Carbon Black 
  5. Symantec Endpoint Protection 
  6. Sophos 
  7. ... more on Updated Integration List for Chronicle SOAR 

Note: If you do not see an integration, it still may be possible to configure, CyFlare has an internal SOAR team that can develop integrations within SOAR. This may be of extra cost to a client, depending on the request. Reach out to your CSM or socir@cyflare.com for more details. 


How to Get Started 

Two Options: 

  1. You can work with your dedicated Customer Success Manager, and they will coordinate with the SOAR Team in getting this Automation built out for you. 
  2. Send an email to socir@cyflare.com and specify what integration you would like to leverage for automation to be built out. 
    1. The SOAR Team will process your request and get back to you with the criteria we need and meet with any customer to further explain and validate any questions they may have. 


    • Related Articles

    • Use Case #6: Isolate Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...
    • Use Case #4: Email Integration 

      Exchange/Email servers are a vital part of implementing automated response actions as one of the most common entry points for malicious/unknown entities into customers’ environments. The SOC is enabled with these response actions to prevent and ...
    • Use Case #1: Firewall Policy Update

      Firewall response actions are the best way to deal with noisy public IPs attempting to ping/connect to external public-facing servers in the customer’s environment. This can also help respond to potential malicious IPs very quickly through automated ...
    • Use Case #3: Disable User Account

      Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...
    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...