Playbooks that execute — not just recommend.
Sockindle runs approved response actions automatically: isolate endpoints, block IPs, revoke tokens. Analyst approval gates for high-risk actions. Full audit trail for every execution.
Pre-built for the most common SOC scenarios.
The SOC tier includes 50 pre-built playbooks covering the most common endpoint, identity, and network response scenarios. Enterprise tier supports custom logic.
Endpoint Isolation
Isolate compromised endpoints via CrowdStrike Falcon, Carbon Black, or SentinelOne — with one-click analyst reversal if needed.
IP/Domain Blocking
Block IPs and domains on Palo Alto, Cisco, or perimeter firewall via API — not a manual ticket to the network team.
Token Revocation
Revoke compromised OAuth tokens and session cookies via Okta or Azure AD — before attackers pivot to SaaS resources.
Analyst Escalation
Push to PagerDuty, Slack, or ServiceNow with full evidence package attached — analyst has context before they open the ticket.
Account Lock
Disable Active Directory or Azure AD accounts on confirmed credential compromise. Configurable auto-unlock after analyst review.
Evidence Packaging
Generate structured incident reports (STIX-compatible) with IOC timeline, affected assets, hunt chain, and recommended remediation steps.
Autonomous where safe. Analyst gate where it matters.
Not every action should be autonomous. Sockindle supports configurable approval tiers — fully automatic for low-risk actions, analyst-approval for high-blast-radius steps like account lockout or endpoint isolation in production environments.
Tier 1 — Fully Autonomous
IOC blocklist updates, alert dismissals, low-severity playbooks. Execute immediately on confidence threshold.
Tier 2 — Timed Approval
Analyst has 15 minutes to reject before execution proceeds. Default for medium-impact actions. Notification via PagerDuty/Slack.
Tier 3 — Manual Approval
Full analyst confirmation required before execution. Default for endpoint isolation, account lockout, and production system changes.
Build playbooks that fit your SOC's risk tolerance.
Enterprise tier supports custom playbook logic and approval workflows.