AgentX playbooks reference
This reference describes the SOAR playbooks available for AgentX automated investigation and response.
Context
AgentX playbooks automate security workflows including host isolation, process termination, file removal, and forensic data collection. Playbooks use AgentX APIs to execute commands on Windows and Linux endpoints.
Active Response playbooks
Logpoint AgentX Ip-Block
Purpose: Block or unblock specific IP addresses at the endpoint firewall level.
Supported on: Windows
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Host Name
Hostname of the target agent
String
IP address to block or unblock
IP address for firewall rule
IPv4
Add or Delete
Action: "Add" to block, "Delete" to unblock
String
Output parameters:
Status
Execution status: "Failure" or "Successful"
String
Use case: Automated threat response - Block attacker IP addresses when intrusion is detected.
Logpoint AgentX Process Dump
Purpose: Dump all running processes on the agent for forensic analysis.
Supported on: Windows, Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Host Name
Hostname of the target agent
String
Output parameters:
Process_tree
Process tree of all running processes
String
Use case: Automated investigation - Collect process information when suspicious activity is detected.
Logpoint AgentX Isolate-Unisolate Host
Purpose: Isolate or unisolate a host from the network while maintaining management connectivity.
Supported on: Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Management IP
Management IP that can access the endpoint during isolation
String
Command Type
Action: "isolate" or "unisolate"
String
Endpoint Name
Hostname of the target endpoint
String
Output parameters:
Status
Execution status: "Failure" or "Successful"
String
Action
Action performed: "isolate" or "unisolate"
String
Use case: Automated containment - Isolate compromised hosts during incident response.
Logpoint AgentX Remove Item
Purpose: Remove specified files from the agent.
Supported on: Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Item Path
Full path of file to delete
String
Hostname
Hostname of the target agent
String
Output parameters:
Status
Execution status: "failure" or "successful"
String
Use case: Automated remediation - Remove malicious files when malware is detected.
Logpoint AgentX Terminate Process
Purpose: Terminate specified processes on the agent.
Supported on: Windows, Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Process ID
Process ID to terminate
String
Optional if Process Name provided
Process Name
Process name to terminate (e.g., Notepad.exe)
String
Optional if Process ID provided
Hostname
Hostname of the target agent
String
Required
Output parameters:
Status
Execution status: "failure" or "successful"
String
Use case: Automated response - Terminate malicious processes during active attacks.
Note: Provide either Process ID or Process Name. If both are provided, Process ID takes precedence.
Logpoint AgentX Retrieve File Hash
Purpose: Calculate hash of a specified file on the agent.
Supported on: Windows, Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
Absolute File Path
Full path to the target file
String
hash_type
Hash algorithm: "SHA1", "SHA256", or "MD5"
String
Hostname
Hostname of the target agent
String
Output parameters:
hash
MD5 hash (if MD5 requested)
String
hash_type
Type of hash calculated
String
hash_sha1
SHA1 hash (if SHA1 requested)
String
hash_sha256
SHA256 hash (if SHA256 requested)
String
absolute_file_path
File path that was hashed
String
hostname
Target hostname
String
Use case: Automated investigation - Calculate file hashes for threat intelligence lookups.
Logpoint AgentX Delete Scheduled Task
Purpose: Delete a Windows scheduled task.
Supported on: Windows
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
task_name
Name of scheduled task to delete
String
Hostname
Hostname of the target agent
String
Use case: Automated remediation - Remove malicious scheduled tasks used for persistence.
Logpoint AgentX Disable Scheduled Task
Purpose: Disable a Windows scheduled task without deleting it.
Supported on: Windows
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
task_name
Name of scheduled task to disable
String
Hostname
Hostname of the target agent
String
Use case: Automated containment - Disable suspicious scheduled tasks for investigation.
Logpoint AgentX Disable StartUp Service
Purpose: Disable a startup service on Windows or Linux.
Supported on: Windows, Linux
Dependencies:
Wait-until-Seconds (sub-playbook)
Input parameters:
service_name
Name of service to disable
String
Hostname
Hostname of the target agent
String
Use case: Automated remediation - Disable malicious services from starting at boot.
OSQuery playbooks
Osquery Investigation Initiation by Logpoint Incident
Purpose: Orchestrate comprehensive investigation triggered by Logpoint alerts.
Trigger type: Logpoint SIEM Incident
Dependencies:
Osquery Investigate Process - Main Incident Generic (sub-playbook)
Osquery Investigate Host - Main Incident (sub-playbook)
Input parameters:
start_time
Alert start time
String
end_time
Alert end time
String
query
Alert query
String
rows_count
Number of result rows
Integer
Use case: Automated investigation - Automatically investigate alerts with process and host forensics.
Osquery Check Process Execution State
Purpose: Verify if a process is currently running on the endpoint.
Supported on: Windows, Linux
Input parameters:
pid
Process ID to check
Integer
hostname
Hostname of the target agent
String
Use case: Investigation - Verify if suspicious process is still active.
Osquery Get Process Suspicious DLL Loads
Purpose: Identify processes loading DLLs and executing commands.
Supported on: Windows
Input parameters:
pid
Process ID to investigate
Integer
hostname
Hostname of the target agent
String
Use case: Investigation - Detect DLL injection and suspicious library loads.
Osquery Get Process Socket
Purpose: Retrieve network connection information for a process.
Supported on: Windows, Linux
Input parameters:
pid
Process ID to investigate
Integer
hostname
Hostname of the target agent
String
Use case: Investigation - Identify network connections associated with suspicious processes.
Osquery Get Process Listening Status
Purpose: Determine if a process is listening on network ports.
Supported on: Windows, Linux
Input parameters:
pid
Process ID to check
Integer
hostname
Hostname of the target agent
String
Use case: Investigation - Detect processes acting as servers or backdoors.
Osquery Get Process Hash
Purpose: Calculate hash values for a process executable.
Supported on: Windows, Linux
Input parameters:
pid
Process ID
Integer
hostname
Hostname of the target agent
String
Output parameters:
md5
MD5 hash
String
sha1
SHA1 hash
String
sha256
SHA256 hash
String
Use case: Investigation - Generate hashes for threat intelligence correlation.
Osquery Get Host OS Version
Purpose: Retrieve operating system version information.
Supported on: Windows, Linux
Input parameters:
hostname
Hostname of the target agent
String
Use case: Investigation - Determine OS version for vulnerability assessment.
Osquery Get Host Uptime
Purpose: Retrieve system uptime information.
Supported on: Windows, Linux
Input parameters:
hostname
Hostname of the target agent
String
Use case: Investigation - Determine when system was last rebooted.
Osquery Get Host Security Patch Installations
Purpose: Retrieve security patch installation history.
Supported on: Windows
Input parameters:
hostname
Hostname of the target agent
String
Use case: Vulnerability assessment - Verify security patch deployment.
Osquery Get Logged in Users
Purpose: Retrieve information about users currently logged into the system.
Supported on: Windows
Input parameters:
hostname
Hostname of the target agent
String
Use case: Investigation - Identify active user sessions during incidents.
Last updated
Was this helpful?