Uptycs - Bad IP Incident

Gets information about processes which open connections to known bad IP addresses.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

  • uptycs-get-threat-source
  • uptycs-get-parent-information
  • uptycs-get-process-child-processes
  • uptycs-get-process-information
  • uptycs-get-alerts
  • uptycs-get-process-open-sockets
  • uptycs-get-threat-indicator

Playbook Inputs


NameDescriptionDefault ValueRequired
alert_idThe unique Uptycs ID for a particular alert.${incident.alertid}Required

Playbook Outputs


PathDescriptionType
Uptycs.Proc.pidThe PID for the process.number
Uptycs.Proc.upt_add_timeThe time that the process was spawned.date
Uptycs.Proc.upt_remove_timeThe time that the process was removed.date
Uptycs.Parent.pidTHe PID of the parent process.number
Uptycs.Parent.upt_add_timeThe time that the process was spawned.date
Uptycs.Parent.upt_remove_timeThe time that the process was removed.date
Uptycs.Sockets.local_addressThe local IP address for the specified connection.string
Uptycs.Sockets.local_portThe local port for specified connection.number
Uptycs.Sockets.remote_portThe remote port for specified connection.number
Uptycs.Children.pidThe PID of a child process.number
Uptycs.Children.upt_add_timeThe time that the process was spawned.date
Uptycs.Children.upt_remove_timeThe time that the process was removed.date

Playbook Image


Uptycs_Bad_IP_Incident