circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

AgentX playbooks overview

AgentX playbooks automate investigation, orchestration, and incident response tasks across Windows and Linux endpoints using SOAR workflows.

hashtag
How playbooks work

Playbooks execute automated workflows that interact with AgentX Clients to investigate security events, gather forensic data, and remediate threats. When a playbook runs, it uses AgentX APIs to send commands to endpoints and retrieve results.

Playbooks can be triggered manually by security analysts or automatically by Logpoint alerts. When triggered by an alert, playbooks extract relevant information (hostname, process ID, IP addresses) from the alert and use it to execute targeted investigations or responses.

hashtag
Playbook categories

Active Response playbooks Perform remediation actions on endpoints to contain or eliminate threats. These playbooks block IP addresses, isolate hosts, terminate processes, remove malicious files, and disable malicious services or scheduled tasks.

OSQuery playbooks Gather forensic and investigative data from endpoints using OSQuery. These playbooks query system state, user sessions, network connections, installed applications, running processes, registry keys, and file metadata.

Investigation playbooks Orchestrate comprehensive investigations by combining multiple queries and checks. These playbooks analyze process behavior, examine loaded DLLs, check file signatures, query threat intelligence databases, and generate detailed investigation reports.

hashtag
Active Response capabilities

Network isolation Block specific IP addresses at the endpoint firewall level or completely isolate a host from the network while maintaining management connectivity.

Process management Terminate malicious processes, dump process memory for analysis, and examine process execution chains.

File operations Remove malicious files, extract file headers to identify file types, and calculate file hashes for threat intelligence lookups.

Service and task management Disable malicious Windows services, delete or disable scheduled tasks, and restart legitimate services after remediation.

hashtag
OSQuery investigation capabilities

Process investigation Query running processes, examine process trees, identify loaded DLLs, analyze process network connections, and check process listening status.

Host information gathering Collect OS version, system uptime, security patch installation history, startup items, firewall and antivirus status, and logged-in user information.

File analysis Calculate file hashes (MD5, SHA1, SHA256), verify file digital signatures (Authenticode), and examine file metadata.

Configuration assessment Query security configurations, identify policy violations, and verify compliance with organizational standards.

hashtag
Playbook triggers

Manual trigger Security analysts manually execute playbooks from the SOAR interface when investigating alerts or incidents. This provides full control over when and where automated actions occur.

Alert trigger Playbooks automatically execute when specific Logpoint alerts fire. The alert provides context (hostname, process ID, IP addresses) that the playbook uses to focus its investigation or response.

Scheduled trigger Playbooks execute on a schedule to perform routine tasks like collecting system inventory, checking compliance status, or gathering security metrics.

hashtag
Playbook workflow

  1. Trigger occurs (manual, alert, or schedule)

  2. Playbook extracts parameters from trigger (hostname, process ID, etc.)

  3. Playbook calls AgentX APIs to execute commands on endpoints

  4. AgentX Server forwards commands to AgentX Clients on target endpoints

  5. AgentX Clients execute commands and return results

  6. Playbook processes results and generates case items

  7. Playbook determines next actions based on results

  8. Process repeats until investigation or response is complete

hashtag
Use cases

Automated malware response When malware is detected, automatically isolate the host, terminate malicious processes, remove malicious files, and collect forensic data for analysis.

Suspicious process investigation When a suspicious process is detected, automatically dump the process tree, collect loaded DLLs, check file signatures, query threat intelligence databases, and generate an investigation report.

Compliance verification Automatically check security configurations across endpoints, identify systems that fail compliance checks, and generate remediation reports.

Insider threat investigation When suspicious user behavior is detected, automatically collect user session information, review file access history, examine process execution, and identify data exfiltration attempts.

hashtag
Next steps

Last updated

Was this helpful?