RS0003: Containment
Prevent a threat from achieving its objectives and/or spreading around an environment.
Stage Actions
| ID | Title | Brief Description |
|---|---|---|
| RA3001 | Patch Vulnerability | Patch a vulnerability in an asset |
| RA3101 | Block External Ip Address | Block an external IP address from being accessed by corporate assets |
| RA3102 | Block Internal Ip Address | Block an internal IP address from being accessed by corporate assets |
| RA3103 | Block External Domain | Block an external domain name from being accessed by corporate assets |
| RA3104 | Block Internal Domain | Block an internal domain name from being accessed by corporate assets |
| RA3105 | Block External Url | Block an external URL from being accessed by corporate assets |
| RA3106 | Block Internal Url | Block an internal URL from being accessed by corporate assets |
| RA3107 | Block Port External Communication | Block a network port for external communications |
| RA3108 | Block Port Internal Communication | Block a network port for internal communications |
| RA3109 | Block User External Communication | Block a user for external communications |
| RA3110 | Block User Internal Communication | Block a user for internal communications |
| RA3111 | Block Data Transferring By Content Pattern | Block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA3112 | Isolate Asset | Isolate machine via EDR |
| RA3113 | Inspect Network Shares | Inspect network shares |
| RA3201 | Block Domain On Email | Block a domain name on an Email server |
| RA3202 | Block Sender On Email | Block an email sender on the Email-server |
| RA3203 | Quarantine Email Message | Quarantine an email message |
| RA3301 | Quarantine File By Format | Quarantine a file by its format |
| RA3302 | Quarantine File By Hash | Quarantine a file by its hash |
| RA3303 | Quarantine File By Path | Quarantine a file by its path |
| RAI3303_0001 | Perform quarantine file via SOLDR | This response action is intended to perform quarantine of choosen file |
| RA3304 | Quarantine File By Content Pattern | Quarantine a file by its content pattern |
| RA3401 | Block Process By Executable Path | Block a process execution by its executable path (including its name) |
| RAI3401_0001 | Terminate process via SOLDR | This response action is intended to terminate process by it's executable path |
| RA3402 | Block Process By Executable Metadata | Block a process execution by its executable metadata (i.e. signature, permissions, MAC times) |
| RA3403 | Block Process By Executable Hash | Block a process execution by its executable hash |
| RA3404 | Block Process By Executable Format | Block a process execution by its executable format |
| RA3405 | Block Process By Executable Content Pattern | Block a process execution by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA3501 | Disable System Service | Disable a system service |
| RA3601 | Lock User Account | Lock an user account |
| RAI3601_0002 | Powershell disable AD user | Disable AD user through the Powershell |
| RA3602 | Block User Account | Block an user account |
| RAI3602_0001 | Block domain user account via Powershell | Block user accounts using the Disable-ADAccount cmdlet |