Skip to main content

Hey, 

Let`s say we have a malicious case with multiple account entities , or even host entities.

and we also have a block for mitigation actions in EDR \\ AAD, but we want to block only one of each entities, not all.

Is there a way to perform this task automatically? 

If not, is there a way to pop a window to the analysts to write or select the relevant entities? 

generally, do you have any best practices for these kind of actions? 

Hey @ORBR ,


As of now, it's not natively supported, but I do have a workaround that will solve your use case.



It's possible to create a custom "Entity Selection Scope" and use it inside the actions. It can be dynamic and resolved during the playbook execution. 

 

Here are the examples of configuration:



 


 


 

Real use case example, I've created a test case that has 4 entities and the goal is to run the action only on 1 entity (ENTITY4):

 


 


 


This is how it's possible to solve the use case of creating a custom scope for blocks for remediation and ensure that the actions are only executed on a specific subset of entities. Let me know, if it makes sense.


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.