Generic Playbooks
The playbooks listed in this article are frequently used playbooks that are part of the Common Playbooks pack.
These playbooks are created out-of-the-box to support common tasks that are a part of the analyst workflow.
The playbooks should be accessible and usable to different users. They don’t depend on specific integrations to achieve their final goal. The playbooks support all of the integrations that support use-cases that are part of the playbook’s flow.
All of the playbooks in this list can be used independently or as a sub-playbook to support a larger use-case.
Generic playbooks mapped by use case#
| Generic Playbook | Description | Use Cases |
|---|---|---|
| Account Enrichment - Generic v2.1 | Enriches accounts using all enabled account management integrations. | IAM |
| Block Account - Generic | Blocks malicious usernames using all enabled integrations. | IAM |
| Block Email - Generic | Blocks emails at your mail relay integration. | Email Gateway |
| Block File - Generic v2 | Blocks files from running on endpoints using all enabled Endpoint integrations. | Endpoint |
| Block Indicators - Generic v2 | Blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic - Block Account - Generic - Block IP - Generic v2 - Block File - Generic v2 | Data Enrichment and Threat Intelligence |
| Block IP - Generic v2 | Blocks malicious IPs using all enabled network security integrations. | Network Security |
| Block URL - Generic | Blocks malicious URLs using all enabled network security integrations. | Network Security |
| Convert file hash to corresponding hashes | Enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if you have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any of the threat intelligence integrations. | Forensics and Malware |
| CVE Enrichment - Generic v2 | Performs CVE Enrichment using all enabled vulnerability management integrations. | Data Enrichment and Threat Intelligence |
| Detonate File - Generic | Detonates files through active integrations that support file detonation. | Forensics and Malware |
| Detonate URL - Generic | Detonates URLs through active integrations that support URL detonation. | Forensics and Malware |
| Domain Enrichment - Generic v2 | Enriches domains using all enabled Data Enrichment and Threat Intelligence integrations. Domain enrichment includes: Threat information | Data Enrichment and Threat Intelligence |
| Email Address Enrichment - Generic v2.1 | Enriches email addresses. - Gets information from Active Directory for internal addresses. - Gets the domain-squatting reputation for external addresses. | Data Enrichment and Threat Intelligence |
| Endpoint Enrichment - Generic v2.1 | Enriches an endpoint by hostname using all enabled Endpoint integrations. | Endpoint |
| Entity Enrichment - Generic v3 | Enriches entities using one or more integrations. | Data Enrichment and Threat Intelligence |
| Extract Indicators From File - Generic v2 | Extracts indicators from a file. Supported file types: - CSV - TXT - HTM, HTML - DOC, DOCX - PPT, PPTX - RTF - XLS | Forensics and Malware |
| File Enrichment - File reputation | Gets the file reputation using one or more integrations. | Data Enrichment and Threat Intelligence |
| File Enrichment - Generic v2 | Enriches a file using one or more integrations. Provides threat information. | Data Enrichment and Threat Intelligence |
| Get endpoint details - Generic | Uses the generic command !endpoint to retrieve details on a specific endpoint. | Endpoint |
| Get File Sample By Hash - Generic v3 | Returns a file sample correlating to a hash in the War Room using the following sub-playbooks: - VMware Carbon Black EDR v2 - Get binary file by MD5 hash from Carbon Black telemetry data. - Cylance Protect v2 - Get the threat (file) attached to a specific SHA256 hash. | Endpoint |
| Get File Sample From Path - Generic V3 | Returns a file sample from a specified path and host that you input in the following playbooks: - PS Remote Get File Sample From Path. - Get File Sample From Path - Carbon Black Enterprise Response. | Endpoint |
| Get host forensics - Generic | Retrieves forensics from hosts using all enabled forensice & malware analysis integrations. | Forensics and Malware |
| Get Original Email - Generic | Retrieve the original email in the thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your email service to execute global search. - EWS: eDiscovery - Gmail: Google Apps Domain-Wide Delegation of Authority | Email Gateway |
| IP Enrichment - External - Generic v2 | Enriches IP addresses using one or more integrations. - Resolves IP addresses to host names (DNS) - Provides threat information - Separates internal and external addresses | Data Enrichment and Threat Intelligence |
| IP Enrichment - Generic v2 | Enriches IP addresses using one or more integrations. - Resolves IP addresses to host names (DNS) - Provides threat information - Separates internal and external IP addresses - For internal IP addresses, get host information | Data Enrichment and Threat Intelligence |
| IP Enrichment - Internal - Generic v2 | Enriches internal IP addresses using one or more integrations. - Resolves IP address to hostname (DNS) - Separates internal and external IP addresses - Gets host information for IP addresses | Data Enrichment and Threat Intelligence |
| Isolate Endpoint - Generic V2 | Isolates a given endpoint via various endpoint product integrations. | Endpoint |
| Retrieve File from Endpoint - Generic V3 | Retrieves a file sample from an endpoint using the following playbooks: - Get File Sample From Path - Generic v2. - Get File Sample By Hash - Generic v3. | Endpoint |
| Search And Delete Emails - Generic v2 | Searches and deletes emails with similar attributes of a malicious email using EWS or Office 365. | Email Gateway |
| Search Endpoint by CVE - Generic | Hunts for assets with a given CVE using available tools. | Vulnerability Management |
| Search Endpoints By Hash - Generic V2 | Hunts using all available tools. | Endpoint |
| Threat Hunting - Generic | Enables threat hunting for IOCs in your enterprise using all enabled supported integrations. | Threat Hunting |
| Unisolate Endpoint - Generic | Unisolates endpoints according to the endpoint ID or hostname that is provided in the playbook. | Endpoint |
| URL Enrichment - Generic v2 | Enriches URLs using one or more integrations. URL enrichment includes: - SSL verification for URLs - Threat information - Providing of URL screenshots | Network Security |