Reference Docs

Find reference documentation for Integrations, Automations, Playbooks and more.

Integrations#

NameDescription
abuse.ch SSL Blacklist FeedThe SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has seen in the past 30 days and identified as being associated with a malicious SSL certificate.
AbuseIPDBCentral repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration.
Acalvio ShadowPlexAcalvio ShadowPlex is a comprehensive Autonomous Deception Platform that offers Advanced Threat Detection, Investigation and Response capabilities.
AccessdataUse the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks.
Active Directory AuthenticationAuthenticate using Active Directory.
Active Directory Query v2Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).
ActiveMQIntegration with ActiveMQ queue
Aella Star LightAella Star Light Integration
Agari Phishing DefenseAgari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business.
Akamai WAFUse the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features.
Akamai WAF SIEMUse the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
Alexa Rank IndicatorAlexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence.
AlienVault OTX TAXII FeedThis integration fetches indicators from AlienVault OTX using a TAXII client.
AlienVault OTX v2Query Indicators of Compromise in AlienVault OTX.
AlienVault Reputation FeedUse the AlienVault Reputation feed integration to fetch indicators from the feed.
AlienVault USM AnywhereSearches for and monitors alarms and events from AlienVault USM Anywhere.
AlphaSOC Network Behavior AnalyticsRetrieve alerts from the AlphaSOC Analytics Engine
AlphaSOC WisdomDNS and IP threat intelligence via the AlphaSOC platform
Amazon DynamoDBAmazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can create database tables that can store and retrieve any amount of data, and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation, and use the AWS Management Console to monitor resource utilization and performance metrics. DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid state disks (SSDs) and automatically replicated across multiple Availability Zones in an AWS region, providing built-in high availability and data durability.
AMPUses CISCO AMP Endpoint
Analyst1This integration utilizes Analyst1's system to enrich Demisto indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.
Anomali MatchUse Anomali Match to search indicators and enrich domains.
Anomali ThreatStreamUse Anomali ThreatStream to query and submit threats
Anomali ThreatStream v2Use Anomali ThreatStream to query and submit threats.
Ansible TowerScale IT automation, manage complex deployments, and speed productivity.
ANY.RUNANY.RUN is a cloud-based sanbox with interactive access.
ArcSight ESM v2ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).
ArcSight LoggerArcSight events logger
ARIA Packet IntelligenceThe ARIA Cybesecurity Solutions Software-Defined Security (SDS) platform integrates with Cortex XSOAR to add robustness when responding to incidents. The combination of ARIA hardware, in the form of a Secure Intelligent Adapter (SIA), and software, specifically Packet Intelligence and SDS orchestrator (SDSo), provides the elements required to react instantly when an incident is detected. When integrated with the ARIA solution, you can create playbooks that instruct one or more SIAs to add, modify, or delete rules automatically. These rule changes, which take effect immediately, can block conversations, redirect packets to a recorder or VLAN, or perform a variety of other actions.
Atlassian Confluence ServerAtlassian Confluence Server API
Atlassian IAMIntegrate with Atlassian's services to execute CRUD operations for employee lifecycle processes.
Atlassian Jira v2Use the Jira integration to manage issues and create Demisto incidents from projects, From version XSOAR 6.0 and above mirror issues to existing issue incidents in demisto.
AttackIQ PlatformAn attack simulation platform that provides validations for security controls, responses, and remediation exercises.
Attivo BotsinkNetwork-based Threat Deception for Post-Compromise Threat Detection.
AutoFocus Daily FeedUse the AutoFocus Daily feed to export threat intelligence data produced by AutoFocus and connected services to provide actionable data for the Palo Alto Networks firewall as well as third party TIP and SIEM solutions. AutoFocus feed return a list which includes IP addresses, domains, URLs, and hash indicators which are updated daily.
AutoFocus FeedUse the AutoFocus Feeds integration to fetch indicators from AutoFocus.
Awake SecurityNetwork Traffic Analysis
AWS - CloudTrailAmazon Web Services CloudTrail.
AWS - CloudWatchLogsAmazon Web Services CloudWatch Logs (logs).
AWS - EC2Amazon Web Services Elastic Compute Cloud (EC2)
AWS - GuardDutyAmazon Web Services Guard Duty Service (gd)
AWS - IAMAmazon Web Services Identity and Access Management (IAM)
AWS - LambdaAmazon Web Services Serverless Compute service (lambda)
AWS - Route53Amazon Web Services Managed Cloud DNS Service.
AWS - S3Amazon Web Services Simple Storage Service (S3)
AWS - Security HubAmazon Web Services Security Hub Service.
AWS - SQSAmazon Web Services Simple Queuing Service (SQS)
AWS FeedUse the AWS feed integration to fetch indicators from the feed.
AWS Network FirewallAWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.
AWS SagemakerAWS Sagemaker - Demisto Phishing Email Classifier
AWS Simple Notification Service (AWS SNS)Use AWS SNS to send notifications to XSOAR.
AxoniusThis integration is for fetching information about assets in Axonius.
Azure AD Connect Health FeedUse the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.
Azure Compute v2Create and Manage Azure Virtual Machines
Azure FeedAzure.CloudIPs Feed Integration.
Azure Kubernetes Services (Beta)Deploy and manage containerized applications with a fully managed Kubernetes service.
Azure Log Analytics (Beta)Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
Azure Network Security GroupsAzure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network.
Azure Security Center v2Unified security management and advanced threat protection across hybrid cloud workloads.
Azure Sentinel (Beta)Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.
Azure SQL Management (Beta)Microsoft Azure SQL Management Integration manages the Auditing and Threat Policies for Azure SQL.
Azure Web Application FirewallThe Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities.
It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies,
and also to get details of a specific policy or a list of policies.
Bambenek Consulting FeedUse the Bambenek Consulting feed integration to fetch indicators from the feed.
Barracuda Reputation Block List (BRBL)This integration enables reputation checks against IPs from Barracuda Reputation Block List (BRBL)
Bastille NetworksRF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for details.
BeyondTrust Password SafeUnified password and session management for seamless accountability and control over privileged accounts.
BigFixIBM BigFix Patch provides an automated, simplified patching process that is administered from a single console.
BitcoinAbuse FeedBitcoinAbuse.com is a public database of bitcoin addresses used by hackers and criminals.
BitDamBitDam secure email gateway protects from advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source.
Bluecat Address ManagerUse the BlueCat Address Manager integration to enrich IP addresses and manage response policies.
Blueliv ThreatCompassBlueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your
organization and its employees safe
Blueliv ThreatContextThe Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.
BMC Helix RemedyforceBMC Helix Remedyforce integration enables customers to create/update service requests and incidents, update statuses, and resolve service requests and incidents with customer notes. This integration exposes standard ticketing capabilities that can be utilized as part of automation & orchestration.
BMC Remedy ARBMC Remedy AR System is a professional development environment that leverages the recommendations of the IT Infrastructure Library (ITIL) and provides a foundation for Business Service Management (BSM) solutions. For incident management (i.e. create, fetch, update), please refer to Remedy On-Demand integration.
BonuslyThe Bonusly integration is used to interact with the Bonusly platform through the API. Bonusly is an employee recognition platform which enterprises use to for employee recognition.
Box v2Manage Box users.
C2sec iriskUnderstand Your Cyber Exposure as Easy as a Google Search
CentreonIT & Network Monitoring
Centrify VaultLeverage the Centrify Vault integration to create and manage Secrets.
Check Point Firewall (Deprecated)Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API
Check Point Firewall v2Read information and to send commands to the Check Point Firewall server.
CheckPhishCheck any URL to detect supsicious behavior.
CherwellCloud-based IT service management solution
ChronicleUse the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.
CIRCLCIRCL Passive DNS is a database storing historical DNS records from various resources.
CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address.
Cisco ASAUse the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects.
Cisco Email Security (beta)Cisco Email Security is an email security gateway . It detects and blocks a wide variety of email-borne threats, such as malware, spam and phishing.
Cisco FirepowerUse the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
Cisco ISENext-generation secure network access.
Cisco Threat GridQuery and upload samples to Cisco threat grid.
Cisco Umbrella Cloud SecurityAdds domains to Umbrella block list
Cisco Umbrella EnforcementAdd and remove domains in Cisco OpenDNS.
Cisco Umbrella InvestigateCisco Umbrella Investigate
ClarotyUse the Claroty CTD integration to manage assets and alerts.
CloakenUnshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries.
CloudConvertUse the CloudConvert integration to convert your files to the desired format.
CloudShare (Beta)Cloudshare integration.
CloudSharkUse the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system.
Code42Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
Cofense Triage (Deprecated)Deprecated. Use the Cofense Triage v2 integration instead.
Cofense Triage v2Use the Cofense Triage integration to ingest reported phishing indicators.
CognniAutonomous detection and investigation of information security incidents and other potential threats.
CoralogixFetch incidents, search for supporting data and tag interesting datapoints in/from your Coralogix account
Cortex Data LakePalo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
Cortex XDR - IOCUse the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.
CounterCraft Deception DirectorCounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response.
CrowdStrike FalconThe CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment. getting behaviors by ID, containing hosts, and lifting host containment.
CrowdStrike Falcon Intel (Deprecated)Deprecated. Use CrowdStrike Falcon Intel v2 integration instead.
Crowdstrike Falcon Intel FeedThe CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more. This integration retrieves indicators from the Crowdstrike Falcon Intel Feed
CrowdStrike Falcon Intel v2CrowdStrike Threat intelligence service integration helps organizations defend themselves against adversary activity by investigating incidents, and accelerating alert triage and response.
CrowdStrike Falcon SandboxFully automated malware analysis (formerly Payload Security VxStream).
CrowdStrike Falcon Streaming v2Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events.
CrowdStrike Falcon XUse the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports.
CrowdStrike MalqueryUse the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.
CryptocurrencyCryptocurrency will help classify Cryptocurrency indicators with the configured score when ingested.
CSV FeedFetch indicators from a CSV feed.
Cuckoo SandboxMalware dynamic analysis sandboxing
CVE Search v2Searches for CVE information using circl.lu.
Cyber TriageAllows you to conduct a mini-forensic investigation on an endpoint. It pushes a collection tool to the remote endpoint, collects volatile and file system data, and analyzes the data.
CyberArk AIM (Deprecated)Deprecated. Use the CyberArk AIM v2 integration instead.
CyberArk AIM v2The CyberArk Application Identity Manager (AIM) provides a secure safe in which to store your account credentials. Use this integration to retrieve the account credentials in CyberArk AIM.
CyberArk PASUse the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.
CybereasonEndpoint detection and response to manage and query malops, connections and processes.
CyberintCyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture.
CyberTotalCyberTotal is a cloud-based threat intelligence service developed by CyCraft.
Cyjax FeedThe feed allows customers to pull indicators of compromise from cyber incidents (IP addresses, URLs, domains, CVE and file hashes)
Cylance Protect v2Manage Endpoints using Cylance protect
CymptomCymptom is a Breach and Attack Simulation solution that revolutionizes the existing approach by transforming attack simulation into a data analysis question. Cymptom agentless scanning brings real-time always-on visibility into the entire security posture.
CymulateMulti-Vector Cyber Attack, Breach and Attack Simulation
Cyren Threat InDepth Threat Intelligence FeedThreat InDepth's actionable and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats faster than other security vendors.
Cyware Threat Intelligence eXchangeThis is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data.
DarktraceRapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate.
Deep InstinctThe Deep Learning cybersecurity platform, for zero time prevention.
DeHashedThis integration allows you to check if your personal information such as your email, username, or password is being compromised.
Dell SecureworksProvides access to the Secureworks CTP ticketing system
Demisto LockLocking mechanism that prevents concurrent execution of different tasks
DevoQuery data from Devo
Devo v2Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables.
DHS FeedThe Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community.
Digital Defense FrontlineVMUse the Digital Defense FrontlineVM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations.
Digital GuardianUse Digital Guardian Integration to fetch incidents and to programmatically add or remove entries from watchlists and component lists.
dnstwistUse the DNSTwist integration to detect typosquatting, phishing, and corporate espionage.
DomainTools IrisA threat intelligence and investigation platform for domain names, IP addresses, email addresses, name servers and so on.
Druva Ransomware ResponseDruva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications and data center workloads for Druva Ransomware Recovery customers.
DuoDUO authentication service.
EasyVistaEasyVista Service Manager manages the entire process of designing, managing and delivering IT services.
EclecticIQ PlatformThreat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships.
Elasticsearch FeedFetches indicators stored in an Elasticsearch database.
Elasticsearch v2Search for and analyze data in real time.
Supports version 6 and later.
EmailRep.ioProvides email address reputation and reports.
EndaceThe EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network.

This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
EWS Mail SenderExchange Web Services mail sender. Note: this integration supports Office 365 basic authentication only. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication (oauth2).
EWS O365The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail).
EWS v2Exchange Web Services and Office 365 (mail)
ExabeamThe Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR.
Exchange 2016 Compliance SearchExchange Server 2016 Compliance Search enables you to search for and delete an email message from all mailboxes in your organization.
ExpanseThe Expanse App for Demisto leverages the Expander API to retrieve network exposures and risky flows to create incidents in Demisto. This application also allows for IP, Domain, Certificate, Behavior, and Exposure enrichment, retrieving assets and exposures information drawn from Expanse’s unparalleled view of the Internet.
Expanse Expander FeedUse this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.
Expanse v2The Expanse v2 integration for Cortex XSOAR leverages the Expander API to create incidents from Expanse issues. It also leverages Expanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Expanse Expander and risky flows detected by Expanse Behavior.
Export Indicators ServiceUse the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.
ExtraHop Reveal(x) v2Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
F5 Application Security Manager (WAF)Manages F5 firewall
F5 firewallManages F5 firewall rules
FalconHost (Deprecated)Deprecated. Use the CrowdStrike Falcon integration instead.
Farsight DNSDBQuery Farsight DNSDB service
Farsight DNSDB v2Farsight Security DNSDB
DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts.
Fidelis EDRUse the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac and Linux OSes for faster threat remediation.
Fidelis Elevate NetworkAutomate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration.
FireEye (AX Series)Perform malware dynamic analysis
FireEye Detection on DemandFireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications, etc. It delivers flexible file and content analysis to identify malicious behavior wherever the enterprise needs it.
FireEye ETPFireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.
FireEye FeedFireEye Intelligence Feed Integration.
FireEye HelixFireEye Helix is a security operations platform. FireEye Helix integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.
FireEye HXFireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. The HX Demisto integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook
FireEye NXFireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic.
FlashpointUse the Flashpoint integration to reduce business risk.
ForcepointAdvanced threat protection with added local management controls.
ForescoutUnified device visibility and control platform for IT and OT Security.
FortiGateManage FortiGate Firewall
FortiManagerFortiManager is a single console central management system that manages Fortinet devices.
FortiSIEMSearch and update events of FortiSIEM and manage resource lists.
FreshdeskThe Freshdesk integration allows you to create, update, and delete tickets; reply to and create notes for tickets as well as view Groups, Agents and Contacts.
G Suite AdminG Suite or Google Workspace Admin is an integration to perform an action on IT infrastructure, create users, update settings, and more administrative tasks.
GCP Whitelist FeedUse the Google Cloud Platform whitelist integration to get indicators from the feed.
Generic SQLUse the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle.
Generic WebhookThe Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration.
GeniansUse the Genian NAC integration to block IP addresses using the assign tag.
GitHubIntegration to GitHub API
GitHub IAMIntegrate with GitHub services to perform Identity Lifecycle Management operations.
GmailGmail API and user management (This integration replaces the Gmail functionality in the GoogleApps API and G Suite integration).
Gmail Single User (Beta)Gmail API using OAuth 2.0.
Google BigQueryIntegration for Google BigQuery, a data warehouse for querying and analyzing large databases. In all commands, for any argument not specified, the BigQuery default value for that argument will be applied.
Google CalendarGoogle Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list (ACL).
Google Cloud ComputeGoogle Compute Engine delivers virtual machines running in Google's innovative data centers and worldwide fiber network. Compute Engine's tooling and workflow support enable scaling from single instances to global, load-balanced cloud computing.
Google Cloud FunctionsGoogle Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers.
Google Cloud Pub/SubGoogle Cloud Pub/Sub is a fully-managed real-time messaging service that enables you to send and receive messages between independent applications.
Google Cloud StorageGoogle Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure.
Google Cloud TranslateA Google API cloud based translation service.
Google DocsUse the Google Docs integration to create and modify Google Docs documents.
Google DriveGoogle Drive allows users to store files on their servers, synchronize files across devices, and share files. This integration helps you to create a new drive, query past activity, and view change logs performed by the users.
Google Kubernetes EngineThe Google Kubernetes Engine integration is used for building and managing container based
applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.
Google Resource ManagerGoogle Cloud Platform Resource Manager
Google VaultArchiving and eDiscovery for G Suite.
GoogleApps API and G SuiteSend messages and notifications to your Mattermost Team.
GophishGophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. For Free
GraphQLThe Generic GraphQL client can interact with any GraphQL server API.
GraylogIntegration with Graylog to search for logs and events
GreatHornThe only cloud-native security platform that stops targeted social engineering and phishing attacks on cloud email platforms like Office 365 and G Suite.
GreyNoiseGreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats.
Group-IB TDS PolygonTDS Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. TDS Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators).
GRRUse GRR Rapid Response framework
Gurucul-GRAGurucul Risk Analytics (GRA) is a Unified Security and Risk Analytics platform.
HashiCorp VaultManage Secrets and Protect Sensitive Data through HashiCorp Vault
Have I Been Pwned? v2Uses the Have I Been Pwned? service to check whether email addresses, domains, or usernames were compromised in previous breaches.
HelloWorldThis is the Hello World integration for getting started.
HelloWorldPremiumThis is the Hello World Premium integration for getting started
HumioIntegration with Humio
Hybrid AnalysisFully automated malware analysis with unique Hybrid Analysis.
IBM QRadarFetch offenses as incidents and search QRadar
IBM QRadar v2Fetch offenses from QRadar using Cortex XSOAR. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields.
IBM Resilient SystemsCase management that enables visibility across your tools for continual IR improvement
IBM X-Force Exchange v2IBM X-Force Exchange lets you receive threat intelligence about applications, IP addresses, URls and hashes
IcebrgReduces risk by accelerating threat detection, triage, and response to rapidly-evolving breaches across global networks.
iDefense (Deprecated)Deprecated. Use the iDefense v2 integration instead.
iDefense FeedFetches indicators from a iDefense feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter).
iDefense v2iDefense provides intelligence regarding security threats and vulnerabilities.
illuminate (Deprecated)Deprecated. Use Analyst1 integration instead.
IllusiveNetworksThe Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.
Image OCRExtracts text from images.
IndeniIndeni is a turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes.
InfinipointUse the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities or incidents. Investigate and respond to events in real-time.
InfoArmor VigilanteATIVigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team.
InfobloxInfoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. It defines RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses.
InfocyteInfocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access.
Intel471 Actors Feed"Intel 471's Actors feed is an actor-centric intelligence feature.
It combines both a field-based intelligence collection and a headquartered-based intelligence analysis component.
This feed allows getting data out of closed sources (typically referred to as the deep and dark web) where threat actors collaborate, communicate, and plan cyber attacks."
Intel471 Malware Feed"Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports.
This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing."
Intezer v2Malware detection and analysis based on code reuse
ipinfoUse the ipinfo.io API to get data about an IP address
IronDefenseThe IronDefense Integration for Cortex XSOAR allows users to interact with IronDefense alerts within Cortex XSOAR. The Integration provides the ability to rate alerts, update alert statuses, add comments to alerts, to report observed bad activity, get alerts, get events, and get IronDome information.
Ivanti HeatUse the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat.
Ja3erQuery the ja3er API for MD5 hashes of JA3 fingerprints.
JARMActive TLS fingerprinting using JARM
JaskFreeing the analyst with autonomous decisions
Joe SecuritySandbox Cloud
JSON FeedFetches indicators from a JSON feed.
JsonWhoIsProvides data enrichment for domains and IP addresses.
Kafka v2The Open source distributed streaming platform
Kenna v2Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes.
LaceworkLacework provides end-to-end cloud security automation for AWS, Azure, and GCP with a comprehensive view of risks across cloud workloads and containers.
Lastline v2Use the Lastline v2 integration to provide threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior.
Lockpath KeyLight v2Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
LogPoint SIEM IntegrationUse this Content Pack to fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time.
LogRhythmLogRhythm security intelligence
LogRhythmRestLogRhythm security intelligence.
Logz.ioFetch & remediate security incidents identified by Logz.io Cloud SIEM
LookerUse the Looker integration to query an explore, save queries as looks, run looks, and fetch look results as incidents.
Mail Listener v2Listens to a mailbox and enables incident triggering via e-mail.
Mail Sender (New)Send emails implemented in Python with embedded image support
Majestic Million FeedFree search and download of the top million websites.
MaltiverseUse the Maltiverse integration to analyze suspicious hashes, URLs, domains and IP addresses.
MalwarebytesScan and Remediate threats on endpoints in the Malwarebytes cloud.
MattermostSend messages and notifications to your Mattermost Team.
MaxMind GeoIP2Enriches IP addresses
McAfee Active ResponseConnect to MAR using its DXL client
McAfee Advanced Threat DefenseIntegrated advanced threat detection: Enhancing protection from network edge to endpoint
McAfee DAMMcAfee Database Activity Monitoring
McAfee DXLMcAfee DXL client
McAfee ePOMcAfee ePolicy Orchestrator
McAfee ESM v10 and v11 (Deprecated)Deprecated. Use the McAfee ESM v2 integration instead.
McAfee ESM v2This integration runs queries and receives alarms from McAfee Enterprise Security Manager (ESM). Supports version 10 and above.
McAfee NSMMcAfee Network Security Manager
McAfee Threat Intelligence ExchangeConnect to McAfee TIE using the McAfee DXL client.
Microsoft Advanced Threat AnalyticsUse Microsoft Advanced Threat Analytics integration to manage suspicious activities, monitoring alerts and entities.
Microsoft Cloud App SecurityMicrosoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.
Microsoft Defender for EndpointMicrosoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
Microsoft Endpoint Configuration ManagerThe Microsoft Endpoint Configuration Manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM).
Microsoft Graph APIUse the Microsoft Graph API integration to interact with Microsoft APIs that do not have dedicated integrations in Cortex XSOAR, for example, Mail Single-User, etc.
Microsoft Graph ApplicationsUse the Microsoft Graph Applications integration to manage authorized applications.
Microsoft Graph CalendarMicrosoft Graph Calendar enables you to create and manage different calendars and events according to your requirements.
Microsoft Graph Device Management (Microsoft Intune)Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management
Microsoft Graph FilesUse the Microsoft Graph Files integration to enable your app to get authorized access to files in OneDrive, SharePoint, and MS Teams across your entire organization. This integration requires admin consent.
Microsoft Graph GroupsMicrosoft Graph Groups enables you to create and manage different types of groups and group functionality according to your requirements.
Microsoft Graph Identity & AccessUse the Microsoft Graph Identity and Access integration to manage roles and members.
Microsoft Graph MailMicrosoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
Microsoft Graph Mail Single UserMicrosoft Graph grants Demisto authorized access to a user's Microsoft Outlook mail data in a personal account or organization account.
Microsoft Graph SecurityUnified gateway to security insights - all from a unified Microsoft Graph Security API.
Microsoft Graph UserUnified gateway to security insights - all from a unified Microsoft Graph User API.
Microsoft Management Activity API (O365 Azure Events)The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content and fetch new content as incidents.
Microsoft Policy And Compliance (Audit Log)Use the integration to get logs from the O365 service.
Microsoft TeamsSend messages and notifications to your team members.
Microsoft Teams ManagementManage teams and members in Microsoft Teams.
Mimecast v2Mimecast unified email management offers cloud email services for email security, continuity and archiving emails. Please read detailed instructions in order to understand how to set the integration's parameters.
Minerva Labs Anti-Evasion PlatformMinerva eliminates the endpoint security gap while empowering companies to embrace technology fearlessly.
MISP v2Malware information sharing platform and threat sharing.
MITRE ATT&CK FeedUse the MITRE ATT&CK¬ģ feed to fetch MITRE‚Äôs Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK¬ģ) content. MITRE ATT&CK¬ģ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
mnemonic MDR - Argus Managed DefenceRapidly detect, analyse and respond to security threats with mnemonic’s leading Managed Detection and Response (MDR) service.
MobileIronCLOUDMobileIron Cloud Integration
MobileIronCOREMobileIron CORE Integration
MolochUses the Moloch viewer API
MongoDBUse the MongoDB integration to search and query entries in your MongoDB.
MongoDB Key Value StoreManipulates key/value pairs according to an incident utilizing the MongoDB collection.
MongoDB LogWrites log data to a MongoDB collection.
NetskopeCloud access security broker that enables to find, understand, and secure cloud apps.
nmapRun nmap scans with the given parameters
Nozomi NetworksThe Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution.
This integration is used to gather alerts and assets information from Nozomi.
NTT Cyber Threat SensorRetrieve alerts and recommendations from NTT CTS
Nutanix HypervisorNutanix Hypervisor abstracts and isolates the VMs and their programs from the underlying server hardware, enabling a more efficient use of physical resources, simpler maintenance and operations, and reduced costs.
O365 - EWS - ExtensionThis integration enables you to manage and interact with Microsoft O365 - Exchange Online from within XSOAR.
O365 - EWS - Extension Online Powershell v2Use the EWS Extension Online Powershell v2 integration to get information about mailboxes and users in your organization.
O365 - Security And Compliance - Content Search (beta)This integration allows you to manage and interact with Microsoft security and compliance content search.
Office 365 FeedThe Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules.
okta (Deprecated)Deprecated. Use the Okta v2 integration instead.
Okta IAMIntegrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes.
Okta v2Integration with Okta's cloud-based identity management service.
OpenCTI FeedIngest indicator feeds from OpenCTI.
OpenLDAPAuthenticate using OpenLDAP.
OpenPhish v2OpenPhish uses proprietary Artificial Intelligence algorithms to automatically identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence.
OpsGenieGet current on-call assignments, schedules, and users info
OrcaAgentless, Workload-Deep, Context-Aware Security and Compliance for AWS, Azure, and GCP.
OTRSService management suite that comprises ticketing, workflow automation, and notification.
PacketsledPacketsled Network Security API commands
PagerDuty v2Alert and notify users using PagerDuty
Palo Alto AutoFocus (Deprecated)Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks.
Palo Alto Networks - Prisma Cloud ComputeUse the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.
Palo Alto Networks AutoFocus v2Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks.
Palo Alto Networks Automatic SLRAllow XSOAR to automatically generate Security Lifecycle Review's (SLR's)
Palo Alto Networks BPAPalo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices.
Palo Alto Networks Cortex (Deprecated)Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products
Palo Alto Networks Cortex XDR - Investigation and ResponseCortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.
Palo Alto Networks Enterprise DLPPalo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.
Palo Alto Networks IoTThis is the Palo Alto Networks IoT integration (previously Zingbox).
Palo Alto Networks IoT 3rd PartyBase Integration for Palo Alto IoT third party integrations. This integration communicates with Palo Alto IoT Cloud to get alerts, vulnerabilities and devices.
Palo Alto Networks MineMeld (Deprecated)Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence.
Palo Alto Networks PAN-OSManage Palo Alto Networks Firewall and Panorama. For more information see Panorama documentation.
Palo Alto Networks PAN-OS EDL ManagementThis integration enables you to manage and edit files located on a remote web server via SSH using integration context as Single Source of Truth.
Palo Alto Networks PAN-OS EDL ServiceThis integration provides External Dynamic List (EDL) as a service for the system indicators (Outbound feed).
Palo Alto Networks Threat VaultUse the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent.
Palo Alto Networks TrapsEndpoint protection and response stops threats on endpoints and coordinates enforcement with network and cloud security to prevent successful cyberattacks.
The integration enables the following abilities:
- Initiate scans.
- Retrieve files from events.
- Isolate endpoints.
- Quarantine files.
- Add and remove hashes from blacklist.
- Getting endpoints info.
Palo Alto Networks WildFire v2Perform malware dynamic analysis
PassiveTotal v2Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis.
PenteraAn Integration with Pentera by Pcysys
PerceptionPointLoads incidents from Perception Point and releases falsely quarantined emails.
PerchPerch is a co-managed threat detection and response platform.
Phish.AINext-Generation Anti-Phishing Platform Powered by AI & Computer Vision
PhishLabs IOCGet indicators of compromise from PhishLabs.
PhishLabs IOC DRPRetrieves Digital Risk cases Protection from PhishLabs.
PhishLabs IOC EIRGet Email Incident Reports from PhishLabs
PhishTank v2PhishTank is a free community site where anyone can submit, verify, track, and share phishing data.
PiHolePi-hole is a network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
Plain Text FeedFetches indicators from a plain text feed.
PreemptPreempt Behavioral Firewall - Detection and enforcement based on user identity
Prisma AccessIntegrate with Prisma Access to monitor the status of the Service, alert and take actions.

Prisma Access Egress IP feedDynamically retrieve and whitelist IPs Prisma Access uses to egress traffic to the internet and SaaS apps.
Prisma Cloud (RedLock)Cloud threat defense
Proofpoint Protection Server (Deprecated)Deprecated. The integration uses an unsupported scraping API. Use Proofpoint Protection Server v2 instead.
Proofpoint Protection Server v2Proofpoint email security appliance.
Proofpoint TAP v2Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
ProtectWiseCloud based Security Network DVR
Public DNS FeedA feed of known benign IPs of public DNS servers.
Query.AIQuery.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication.
Quest KACE Systems Management Appliance (Beta)Use the Comprehensive Quest KACE solution to Provision, manage, secure, and service all network-connected devices.
Rapid7 InsightIDRRapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents.
Rapid7 NexposeRapid7's on-premise vulnerability management solution, Nexpose, helps you reduce your threat exposure by enabling you to assess and respond to changes in your environment real time and prioritizing risk across vulnerabilities, configurations, and controls.
RasterizeConverts URLs, PDF files, and emails to an image file or PDF file.
Recorded FutureUnique threat intel technology that automatically serves up relevant insights in real time.
Recorded Future v2Unique threat intel technology that automatically serves up relevant insights in real time.
Red CanaryRed Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema which allows teams to detect, analyze and respond to security incidents.
Remedy On-DemandUse Remedy On-Demand to manage tickets
Remote AccessFile transfer and execute commands via ssh, on remote machines.
ReversingLabs A1000ReversingLabs A1000 Malware Analysis Platform
ReversingLabs Titanium CloudReversingLabs Data provides malware status of the sample
RiskIQ Digital FootprintThe RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets and analyze your digital footprint from the adversary's perspective.
RiskSenseRiskSense is a cloud-based platform that provides vulnerability management and prioritization to measure and control cybersecurity risk.
RSA Archer (Deprecated)Deprecated. Use the RSA Archer v2 integration instead.
RSA Archer v2The RSA Archer GRC Platform provides a common foundation for managing policies, controls, risks, assessments and deficiencies across lines of business.
RSA NetWitness EndpointRSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints on and off your network. The RSA Demisto integration provides access to information about endpoints, modules and indicators.
RSA NetWitness Packets and LogsRSA NetWitness Logs and Packets decoders are responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data.
RSA NetWitness v11.1RSA NetWitness Platform provides systems Logs, Network, and endpoint visibility for real-time collection, detection, and automated response with the Demisto Enterprise platform. Providing full session analysis, customers can extract critical data and effectively operate security operations automated playbook.
RST Cloud - Threat Feed APIThis is the RST Threat Feed integration for interacting with API
RTIRRequest Tracker for Incident Response is a ticketing system which provides pre-configured queues and workflows designed for incident response teams.
Rubrik PolarisCreate a new incident when a Polaris Radar anomaly event is detected and determine if any Sonar data classification hits were found on that object.
RundeckRundeck is a runbook automation for incident management, business continuity, and self-service operations. |- The integration enables you to install software on a list of machines or perform a task periodically. Can be used when there is a new attack and you want to perform an update of the software to block the attack.
SafeBreach (Deprecated)Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers.
SafeBreach v2SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker‚Äôs Playbook‚ĄĘ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses.
SailPoint IdentityIQSailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices.
SalesforceCRM Services
Salesforce IAMIntegrate with Salesforce's services to perform Identity Lifecycle Management operations.
SAML 2.0You can authenticate your Demisto users using SAML 2.0 authentication and your organization`s as the identity provider.
SAML 2.0 - ADFS as IdPYou can authenticate your Demisto users using SAML 2.0 authentication and ADFS as the identity provider.
SAML 2.0 - Okta as IdPYou can authenticate your Demisto users using SAML 2.0 authentication and Okta as the identity provider.
SCADAfence CNMfetching data from CNM
SecBIA threat, intelligence, and investigation platform, enabled by automation of detection and investigation, including remediation and prevention policy enforcements on all integrated appliances.
Security Intelligence Services FeedA PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content and Scam Blacklist with Hourly ingestion available.
SecurityAdvisorContextual coaching and awareness for end users
SecuronixUse the Securonix integration to manage incidents and watchlists.
SentinelOne v2End point protection
SepioGet Agent, Switches and Events from your Sepio Prime
Server Message Block (SMB) (Deprecated)Deprecated. Use the Server Message Block (SMB) v2 integration instead.
Server Message Block (SMB) v2Files and Directories management with an SMB server. Supports SMB2 and SMB3 protocols.
Service Desk PlusUse this integration to manage Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.
Service Desk Plus (On-Premise)Use this integration to manage your on-premises Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.
ServiceNow (Deprecated)Deprecated. Use the ServiceNow v2 integration instead.
ServiceNow CMDBServiceNow CMDB is a service‚ÄĎcentric foundation that proactively analyzes service‚ÄĎimpacting changes, identifies issues, and eliminates outages.
ServiceNow IAMIntegrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow v2Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
Signal Sciences WAFProtect your web application using Signal Sciences.
SilverfortUse the Silverfort integration to get and update Silverfort risk severity.
Sixgill DarkFeed EnrichmentSixgill Darkfeed Enrichment ‚Äď powered by the broadest automated collection from the deep and dark web ‚Äď is the most comprehensive IOC enrichment solution on the market. By enriching Palo Alto Networks Cortex XSOAR IOCs with Darkfeed, customers gain unparalleled context and essential explanations in order to accelerate their incident prevention and response and stay ahead of the threat curve. Automatically enrich Cortex XSOAR IOCs (machine to machine) via Darkfeed. Block threats and enrich endpoint protection in real-time from the Cortex XSOAR dashboard, gain contextual and actionable insights with essential explanations of Cortex XSOAR IOCs.
Sixgill DarkFeed Threat IntelligenceLeverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the XSOAR platform.
Skyformation (Deprecated)Deprecated. Vendor has declared end of life for this integration. No available replacement.
Slack IAMIntegrate with Slack's services to execute CRUD operations for employee lifecycle processes.
Slack v2Send messages and notifications to your Slack team.
SlashNext Phishing Incident ResponseSlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.
SMIME MessagingUse the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data.
Smokescreen IllusionBLACKSmokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time.
SNDBOXSNDBOX as a service
SnowflakeAnalytic data warehouse provided as Software-as-a-Service.
Sophos CentralThe unified console for managing Sophos products.
Sophos FirewallOn-premise firewall by Sophos enables you to manage your firewall, respond to threats, and monitor what’s happening on your network.
SpamcopSpamCop is an email spam reporting service, integration allow checking the reputation of an IP address
Spamhaus FeedUse the Spamhaus feed integration to fetch indicators from the feed.
SplunkPyRun queries on Splunk servers.
Stealthwatch CloudProtect your cloud assets and private network
SumoLogicCloud-based service for logs & metrics management
Symantec Blue Coat Content and Malware Analysis (Beta)Symantec Blue Coat Content and Malware Analysis integration.
Symantec Data Loss Prevention (Beta)Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information.
Symantec Endpoint Protection v2Query the Symantec Endpoint Protection Manager using the official REST API.
Symantec Managed Security ServicesLeverage the power of Symantec Managed Security Services for continual threat monitoring and customized guidance 24x7
Symantec Management CenterSymantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
Symantec Messaging GatewaySymantec Messaging Gateway protects against spam, malware, targeted attacks and provides advanced content filtering, data loss prevention, and email encryption.
SynapseSynapse intelligence analysis platform.
SyslogSyslog events logger. Automatically convert incoming logs to incidents.
Syslog SenderUse the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.
Talos FeedUse the Talos Feed integration to get indicators from the feed.
TaniumTanium endpoint security and systems management
Tanium Threat ResponseUse the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
Tanium v2Tanium endpoint security and systems management
TAXII 2 FeedIngests indicator feeds from TAXII 2.0 and 2.1 servers.
TAXII FeedIngests indicator feeds from TAXII 1.x servers.
TAXII ServerThis integration provides TAXII Services for system indicators (Outbound feed).
Tenable.ioA comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications.
Tenable.scWith Tenable.sc (formerly SecurityCenter) you get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster.
Thinkst CanaryBy presenting itself as an apparently benign and legitimate service(s), the Canary draws the attention of unwanted activity. When someone trips one of the Canary's triggers, an alert is sent to notify the responsible parties so that action can be taken before valubale systems in your network are compromised.
ThreatConnect (Deprecated)Deprecated. Use the ThreatConnect v2 integration instead.
ThreatConnect FeedThis integration fetches indicators from ThreatConnect.
ThreatConnect v2ThreatConnect's intelligence-driven security operations solution with intelligence, automation, analytics, and workflows.
ThreatQ v2A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes.
ThreatXThe ThreatX integration allows automated enforcement and intel gathering actions.
Trend Micro ApexTrend Micro Apex central automation to manage agents and User-Defined Suspicious Objects
TrendMicro Cloud App SecurityUse Trend Micro Cloud App Security integration to protect against ransomware, phishing, malware, and unauthorized transmission of sensitive data for cloud applications, such as Microsoft 365, Box, Dropbox, Google G Suite and Salesforce.
TripwireTripwire is a file integrity management (FIM), FIM monitors files and folders on systems and is triggered when they have changed.
TruSTAR (Deprecated)Deprecated. Use the TruSTAR v2 integration instead.
TruSTAR v2TruSTAR is an Intelligence Management Platform that helps you operationalize data across tools and teams, helping you prioritize investigations and accelerate incident response.
TufinRetrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack
TwinwaveTwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities.
Unit42 FeedUnit42 feed of published IOCs, which contains known malicious indicators.
UptycsFetches data from the Uptycs database.
URLhausURLhaus has the goal of sharing malicious URLs that are being used for malware distribution.
urlscan.ioUrlscan.io reputation
VectraAutomated attacker behavior analytics
Vectra v2Automated attacker behavior analytics
VenafiRetrieves information about certificates stored in Venafi.
VerticaAnalytic database management software
VirusTotalAnalyze suspicious hashes, URLs, domains and IP addresses
VirusTotal - Private APIAnalyze suspicious hashes, URLs, domains and IP addresses
VMRayRansomware analysis sandboxing.
VMwareVMware vCenter server is a centralized management application that lets you manage virtual machines and ESXi hosts centrally.
VMware Carbon Black App Control v2VMware Carbon Black App Control (formerly known as Carbon Black Enterprise Protection) is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. This integration only supports Carbon Black on-premise APIs.
VMware Carbon Black EDR (Live Response API)Collect information and take action on remote endpoints in real time with VMware Carbon Black EDR (Live Response API) (formerly known as Carbon Black Enterprise Live Response).
VMware Carbon Black Endpoint StandardVMware Carbon Black Endpoint Standard (formerly known as Carbon Black Defense) is a next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware.
VMware Carbon Black Enterprise EDRVMware Carbon Black Enterprise EDR (formerly known as Carbon Black ThreatHunter) is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter)
VulnDBLists all of the security vulnerabilities for various products (OS,Applications) etc)
WhatIsMyBrowserParse user agents and determine if they are malicious as well as enrich information about the agent
WhoisProvides data enrichment for domains.
WootCloudAppend HyperContext‚ĄĘ insights to your SIEM data and feed them into your orchestration workflows.
WorkdayWorkday offers enterprise-level software solutions for financial management, human resources, and planning.
Workday IAMUse the Workday IAM Integration as part of the IAM premium pack.
Workday IAM Event Generator (Beta)Generates mock reports and events for Workday IAM. Use these for testing and development.
XM CyberXMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident.
xMattersThis is an integration for using xMatters.
XSOAR MirroringFacilitates mirroring of XSOAR incidents between different XSOAR tenants.
ZabbixAllow integration with Zabbix api
ZimperiumFetch and investigate mobile security alerts, generated based on anomalous or unauthorized activities detected on a user's mobile device.
ZoomUse the Zoom integration manage your Zoom users and meetings
Zoom FeedUse the Zoom Feed integration to get indicators from the feed.
ZscalerZscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address whitelists and blacklists, manage and update categories, get Sandbox reports, and manually log in, log out, and activate changes in a Zscaler session.

Playbooks#

NameDescription
Access Investigation - GenericThis playbook investigates an access incident by gathering user and IP information.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.
Access Investigation - Generic - NISTThis playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Used Sub-playbooks:
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Block IP - Generic v2
- NIST - Lessons Learned
Access Investigation - QRadarThis playbook uses the QRadar integration to investigate an access incident by gathering user and IP information.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.
Accessdata: Dump memory for malicious processUse as a sub-playbook to dump memory if given process is running on legacy AD agent
Account Enrichment - GenericDeprecated. Use "Account Enrichment - Generic v2.1" playbook instead. Enrich Accounts using one or more integrations
Account Enrichment - Generic v2Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead. Enrich accounts using one or more integrations. Supported integrations - - Active Directory
Account Enrichment - Generic v2.1Enrich accounts using one or more integrations.
Supported integrations:
- Active Directory
Active Directory - Get User Manager DetailsTakes an email address or a username of a user account in Active Directory, and returns the email address of the user's manager.
Add Indicator to Miner - Palo Alto MineMeldDeprecated. Add indicators to the relevant Miner using MineMeld.
Add Unknown Indicators To Inventory - RiskIQ Digital FootprintAdds the unknown indicators or updates/removes the indicators identified as a known asset in the RiskIQ Digital Footprint inventory according to the user inputs for each asset. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example reputation:None etc. The purpose of the playbook is to check if the indicators with the unknown reputation are known assets. The default playbook query is "reputation:None". In case indicators with different reputations are to be added to the inventory, the query must be edited accordingly. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators.
Agari Message Remediation - Agari Phishing DefenseInvestigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari.
Akamai WAF - Activate Network ListsActivates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested enviorment.
Allow IP - Okta ZoneSync a list of IP addresses to the Okta Network Zone with the given ID.
Existing IPs in the Okta Zone which are not in the input list will be removed and the indicator will be untagged in Cortex XSOAR.
IDs can be retrieved using !okta-list-zones. This playbook supports CIDR notation only (1.1.1.1/32) and not range notation (1.1.1.1-1.1.1.1)
Anomali Enterprise Forensic SearchInitiates a Forensic Search on IOCs in Anomali Match.
Archer initiate incidentinitiate Archer incident
Arcsight - Get events related to the CaseGet the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID.
Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them.
Assign Active Incidents to Next Shift V2This playbook reassigns Active Incidents to the current users on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time.

You can update the playbook input with a different search query, if required. Will branch if there are no incidents that match the query and no users on call.

Cases will not be assigned to users that defined OOO (by OutOfOffice automation).
ATD - Detonate FileDetonates a File using the McAfee Advanced Threat Defense sandbox.
Advanced Threat Defense supports the following File Types:
32-bit Portable Executables (PE)files; 64-bit PE+files
exe, sys, dll, com, scr, cpl, ocx, cgi
Microsoft Office Suite documents
doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar
Just Systems Ichitaro documents
jtd, jtdc
Adobe
pdf, swf
Compressed files
gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar
Android application package
apk, Java, JAR, CLASS, Java Script, Java bin files
Image files
jpeg, png, gif
Other file types
cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh
Auto Add Assets - RiskIQ Digital FootprintThis playbook automatically adds the provided asset(s) to the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to add multiple assets.
Auto Update Or Remove Assets - RiskIQ Digital FootprintThis playbook automatically updates or removes the provided asset(s) from the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to update or remove multiple assets.
Autofocus Query Samples, Sessions and TagsThis playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input.

The playbook supports searching both the Samples API and the sessions API.
AutoFocusPollingUse this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context.

This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.
Block Account - GenericThis playbook blocks malicious usernames using all integrations that you have enabled.

Supported integrations for this playbook:
Active Directory
PAN-OS - This requires PAN-OS 9.1 or higher.
Block Endpoint - Carbon Black ResponseCarbon Black Response - isolate an endpoint, given a hostname.
Block File - Carbon Black ResponseThis playbook receives an MD5 hash and adds it to the blacklist in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints.

If the integration is disabled at the time of running, or if the hash is already on the blacklist, no action is taken on the MD5.
Block File - CybereasonThis playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
Block File - Cylance Protect v2This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration.
Block File - GenericDeprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response.
Block File - Generic v2This playbook is used to block files from running on endpoints.
This playbook supports the following integrations:
- Palo Alto Networks Traps
- Palo Alto Networks Cortex XDR
- Cybereason
- Carbon Black Enterprise Response
- Cylance Protect v2
Block Indicators - GenericDeprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead.
This playbook blocks malicious indicators using all integrations that are enabled.

Supported integrations for this playbook:
Active Directory
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks Panorama
Zscaler
Carbon Black Enterprise Response
Block Indicators - Generic v2This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:

- Block URL - Generic
- Block Account - Generic
- Block IP - Generic v2
- Block File - Generic v2

Block IOCs from CSV - External Dynamic ListThis playbook parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists.
Block IP - GenericDeprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled.

Supported integrations for this playbook:
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks Panorama
Zscaler
Block IP - Generic v2This playbook blocks malicious IPs using all integrations that are enabled.

Supported integrations for this playbook:
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks PAN-OS
Zscaler
* FortiGate
Block URL - GenericThis playbook blocks malicious URLs using all integrations that are enabled.

Supported integrations for this playbook:
Palo Alto Networks Minemeld
Palo Alto Networks PAN-OS
* Zscaler
Bonusly - AutoGratitudeAutoGratitude is a playbook to give back a positive gratitude to security engineers and developers when they successfully complete an SLA
Brute Force Investigation - GenericThis playbook investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation.

The playbook handles the following use-cases:

Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins.
Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time.
* Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login.

Used Sub-playbooks:
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Calculate Severity - Critical Assets v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
Brute Force Investigation - Generic - SANSThis playbook investigates a "Brute Force" incident by gathering user and IP information, and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation.
This is done based on the phases for handling an incident as they are described in the SANS Institute √Ę‚ā¨ňúIncident Handler√Ę‚ā¨‚ĄĘs Handbook√Ę‚ā¨‚ĄĘ by Patrick Kral.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

The playbook handles the following use-cases:

Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins.
Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time.
* Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login.

Used Sub-playbooks:
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Calculate Severity - Critical Assets v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
- SANS - Lessons Learned

***Disclaimer: This playbook does not ensure compliance to SANS regulations.
Bulk Export Devices to ServiceNow - PANW IoT 3rd Party IntegrationThis playbook gets all available devices from PANW IoT Cloud and updates/creates endpoints with custom attributes in ServiceNow.
Bulk Export to Cisco ISE - PANW IoT 3rd Party IntegrationThis playbook gets all available device inventory from PANW IoT Cloud and updates/create endpoints with custom attributes on Cisco ISE.
Bulk Export to SIEM - PANW IoT 3rd Party IntegrationThis playbook gets all available assets ( alerts, vulnerabilities and devices) and send then to configured PANW third-party integration SIEM server.
C2SEC-Domain ScanLaunches a C2sec scan by domain name and waits for the scan to finish by polling its status in pre-defined intervals.
Calculate Severity - 3rd-party integrationsCalculates the incident severity level according to the methodology of a 3rd-party integration.
Calculate Severity - Critical assetsDeprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group.
Calculate Severity - Critical Assets v2Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
Critical assets refer to: users, user groups, endpoints and endpoint groups.
Calculate Severity - GenericDeprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations:

Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.
Critical assets - Determines if a critical assest is associated with the invesigation.
* 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.

NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.
Calculate Severity - Generic v2Calculate and assign the incident severity based on the highest returned severity level from the following calculations:

- DBotScores of indicators
- Critical assets
- Email authenticity
- Current incident severity
Calculate Severity - GreyNoiseCalculate and assign the incident severity based on the highest returned severity level from the following calculations:

- DBotScores of indicators
- Current incident severity
Calculate Severity - Indicators DBotScoreCalculates the incident severity level according to the highest indicator DBotScore.
Calculate Severity - StandardCalculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
Calculate Severity By Email AuthenticityCalculates a severity according to the verdict coming from the CheckEmailAuthenticity script.
Calculate Severity By Highest DBotScoreCalculates the incident severity level according to the highest indicator DBotScore.
Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoisePlaybook to calculate the severity based on GreyNoise
Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoisePlaybook to calculate the severity based on GreyNoise
California - Breach NotificationThis playbook helps an analyst determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

Source: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82.
Carbon Black EDR Search ProcessUse this playbook to search processes in Carbon Black Enterprise EDR.
This playbook implements polling by continuously running the cb-eedr-process-search-results command
until the operation completes.
Carbon black Protection Rapid IOC HuntingHunt for endpoint activity involving hash and domain IOCs, using Carbon black Protection (Bit9).
Carbon Black Rapid IOC HuntingDeprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black
Check Indicators For Unknown Assets - RiskIQ Digital FootprintThis playbook receives indicators from its parent playbook and checks if the indicator is an unknown or a known asset in the RiskIQ Digital Footprint inventory and gives out a list of the unknown as well as known assets. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators.
Check IP Address For Whitelisting - RiskIQ Digital FootprintChecks if the provided IP Address should be whitelisted and excluded or not. Use this playbook as a sub-playbook to loop over multiple IP Addresses to check if they should be whitelisted and excluded.
Checkpoint Firewall Configuration Backup PlaybookDeprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP.
ChronicleAsset Investigation - ChronicleThis playbook receives indicators from its parent playbook, performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and gives out a list of isolated and blocked entities. This playbook also lists the events fetched for the asset identifier information associated with the indicator.
ChronicleAssets Investigation And Remediation - ChroniclePerforms enrichment and investigation of the ChronicleAsset type of indicators, provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address is found to be malicious or suspicious, and sends out an email containing the list of isolated and potentially blocked entities. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example, type:ChronicleAsset etc. The default playbook query is "type:ChronicleAsset". In case indicators with different query parameters are to be investigated, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integration’s API license when running large amounts of indicators.
CloudConvert - Convert FileUse this playbook to convert a file to the required format using CloudConvert.
Code42 Add Departing Employee From Ticketing SystemParses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command jira-get-issue to be zendesk-ticket-details and use the id parameter for issueId. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk.
Code42 Copy File To Ticketing SystemDownloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command jira-issue-upload-file to be servicenow-upload-file and use the id parameter for issueId and file_id for entryId.
Code42 Exfiltration PlaybookThe Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints.
Code42 File DownloadThis playbook downloads a file via Code42 by either MD5 or SHA256 hash.
Code42 File SearchThis playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use.
Code42 Suspicious Activity ActionTake corrective actions against a Code42 user found to be exposing file data.
Code42 Suspicious Activity ReviewDetects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.
Continuously Process Survey ResponsesNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Continuously processes new questionnaire responses as they are received.
Convert file hash to corresponding hashesThe playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the
original searched hash is recognized by any our the threat intelligence integrations.
Cortex XDR - Block FileUse this playbook to add files to Cortex XDR block list with a given file SHA256 playbook input.
Cortex XDR - Check Action StatusChecks the action status of an action ID. \nEnter the action ID of the action whose status you want to know.
Cortex XDR - Isolate EndpointThis playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
Cortex XDR - Malware InvestigationInvestigates a Cortex XDR incident containing internal malware alerts. The playbook:
- Enriches the infected endpoint details.
- Lets the analyst manually retrieve the malicious file.
- Performs file detonation.

The playbook is used as a sub- playbook in ‚ÄėCortex XDR Incident Handling - v2‚Äô
Cortex XDR - Port ScanInvestigates a Cortex XDR incident containing internal port scan alerts. The playbook:
- Syncs data with Cortex XDR
- Enriches the hostname and IP address of the attacking endpoint
- Notifies management about host compromise
- Escalates the incident in case of lateral movement alert detection
- Hunts malware associated with the alerts across the organization
- Blocks detected malware associated with the incident
- Blocks IPs associated with the malware
- Isolates the attacking endpoint
- Allows manual blocking of ports that were used for host login following the port scan
Cortex XDR - Port Scan - AdjustedInvestigates a Cortex XDR incident containing internal port scan alerts. The playbook:
- Syncs data with Cortex XDR.
- Notifies management about a compromised host.
- Escalates the incident in case of lateral movement alert detection.

The playbook is used as a sub- playbook in 'Cortex XDR Incident Handling - v2'
Cortex XDR - quarantine file
Cortex XDR - Retrieve File PlaybookRetrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints.
Inputs for this playbook are:
- A comma-separated list of endpoint IDs.
- A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required.
Cortex XDR Alerts HandlingThis playbook is used to loop over every alert in a Cortex XDR incident.
Supported alert categories:
- Malware
- Port Scan
Cortex XDR device control violationsQueries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device.
All the collected data will be displayed in the XDR device control incident layout.
This playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users.
Cortex XDR disconnected endpointsA Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input.
The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints.
The report will be sent to the recipient's provided email addresses in the playbook input.
The playbook includes an incident type with a dedicated layout to visualize the collected data.
To set the job correctly, you will need to.
1. Create a new recurring job.
2. Set the recurring schedule.
3. Add a name.
4. Set type to Cortex XDR disconnected endpoints.
5. Set this playbook as the job playbook.

https://xsoar.pan.dev/docs/incidents/incident-jobs

The scheduled run time and the timestamp relative date should be identical,
If the job is recurring every 7 days, the time range should be 7 days as well.
Cortex XDR Incident HandlingThis playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.

*** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.
For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
Cortex XDR incident handling v2This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type.
Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs.
Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive.
After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.
Cortex XDR incident handling v3This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type.
Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs.
Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive.
After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident.
Cortex XDR Incident SyncCompares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0.
Create ServiceNow TicketCreate ServiceNow Ticket allows you to open new tickets as a task from a parent playbook.
When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling.
Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options:
1. StatePolling
2. Mirror
3. Leave Blank to use none.
CrowdStrike Endpoint EnrichmentEnrich Endpoint with CrowdStrike
CrowdStrike Falcon Sandbox - Detonate fileDetonate one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM
CrowdStrike Rapid IOC HuntingDeprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found.
CrowdStrike Rapid IOC Hunting v2Hunt for endpoint activity involving hash and domain IOCs using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found.
CVE Enrichment - GenericEnrich CVE using one or more integrations.
CVE Enrichment - Generic v2This playbook performs CVE Enrichment using the following integrations:
- VulnDB
- CVE Search
- IBM X-Force Exchange
CVE Exposure - RiskSenseBlock IPs and apply the tag to assets that are vulnerable to the specified CVE.
CyberTotal Auto Enrichment - CyCraftThis playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores.
CyberTotal Whois - CyCraftThis playbook is used to automatically retrieve Whois information regarding IPs, URLs and domains. Playbook input: IPs, URLs, domains. Playbook output: Whois lookup information.
D2 - Endpoint data collectionUses Demisto's d2 agent to collect data from an endpoint for IR purposes.

Input:
Hostname (default: ${Endpoint.Hostname})
OS (default: windows)
Credentials (default: Admin)
Path (default: None)
Darkfeed - malware download from feedSet this playbook as an automated job in order to automatically download malware from new Darkfeed IOCs and run them through the "Darkfeed IOC detonation and proactive blocking" playbook
Darkfeed IOC detonation and proactive blockingDownload malicious files from a Darkfeed IOC, detonate them in automated sandboxes, and extract and block any additional indicators and files.
Darkfeed Threat hunting-researchAutomatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network.
DBot Create Phishing ClassifierDeprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Create a phishing classifier using machine learning technique, based on email content
DBot Create Phishing Classifier JobDeprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.
DBot Create Phishing Classifier V2Create a phishing classifier using machine learning technique, based on email content.
DBot Create Phishing Classifier V2 JobTrain the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.
DBot Indicator Enrichment - GenericGet indicators internal Dbot score
Dedup - GenericDeprecated. Use "Dedup - Generic v2" playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Dedup - Generic v2Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Dedup - Generic v3This playbook identifies duplicate incidents using one of the supported methods.
Select one of the following methods to identify duplicate incidents in Cortex XSOAR.
- ml: Machine learning model, which is trained mostly on phishing incidents.
-rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields.
-text: Statistics algorithm that compares text, which is generally useful for phishing incidents.
For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.
DeDup incidentsDeprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found.
DeDup incidents - MLDeprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation.
DefaultThis playbook executes when no other playbook is associated with an incident. It enriches indicators in an incident using one or more integrations.
Demisto Self-Defense - Account policy monitoring playbookDeprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.
Detonate File - ANYRUNDetonates one or more files using the ANYRUN sandbox integration.
Returns relevant reports to the War Room and file reputations to the context data.
All file types are supported.
Detonate File - BitDamDetonates one or more files using BitDam integration.
Returns verdict to the War Room and file reputations to the context data.
Supported file types are mainly PDF & microsoft office software/
Detonate File - CuckooDetonating file with Cuckoo
Detonate File - FireEye AXDetonate one or more files using the FireEye AX integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM, JPG, JPEG, GIF, PNG, XLSX
Detonate File - FireEye Detection on DemandDetonate one or more files using the FireEye Detection on Demand integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
Detonate File - GenericDetonate file through active integrations that support file detonation
Detonate File - Group-IB TDS PolygonDetonate file using Group-IB TDS Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types: 7z, ace, ar, arj, bat, bz2, cab, chm, cmd, com, cpgz, cpl, csv, dat, doc, docm, docx, dot, dotm, dotx, eml, exe, gz, gzip, hta, htm, html, iqy, iso, jar, js, jse, lnk, lz, lzma, lzo, lzh, mcl, mht, msg, msi, msp, odp, ods, odt, ots, ott, pdf, pif, potm, potx, pps, ppsm, ppsx, ppt, pptm, pptx, ps1, pub, py, pyc, r, rar, reg, rtf, scr, settingcontent-ms, stc, svg, sxc, sxw, tar, taz, .tb2, .tbz, .tbz2, tgz, tlz, txz, tzo, txt, url, uue, vbe, vbs, wsf, xar, xls, xlsb, xlsm, xlsx, xml, xz, z, zip.
Detonate File - HybridAnalysisDetonates one or more files using the Hybrid Analysis integration.
Returns relevant reports to the War Room and file reputations to the context data.
All file types are supported.
Detonate File - JoeSecurityDetonates one or more files using the Joe Security - Joe Sandbox integration.
Returns relevant reports to the War Room and file reputations to the context data.
All file types are supported.
Detonate File - LastlineDetonates a File using the Lastline sandbox.
Lastline supports the following File Types:
EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH
Detonate File - Lastline v2Detonates a File using the Lastline sandbox.
Lastline supports the following File Types:
EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH
Detonate File - SNDBOXDetonates a File using the SNDBOX.
Advanced Threat Defense supports the following File Types:
Microsoft (2003 and earlier)
doc, dot, xls, csv, xlt, xlm, ppt, pot, pps

Microsoft (2007 and later):
docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml

Other:
pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat
Detonate File - ThreatGridDetonate one or more files using the ThreatGrid integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM
Detonate File - ThreatStreamDetonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.
Detonate File - VMRayDetonating file with VMRay
Detonate File From URL - ANYRUNDetonates one or more remote files using the ANYRUN sandbox integration.
Returns relevant reports to the War Room and file reputations to the context data.
This type of analysis works only for direct download links.
Detonate File From URL - JoeSecurityDetonates one or more remote files using the Joe Security sandbox integration.
Returns relevant reports to the War Room and file reputations to the context data.
This type of analysis is available for Windows only and works only for direct download links.
Detonate File From URL - WildFireDetonate one or more files using the Wildfire integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
The detonation supports the following file types -
APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z
Detonate Remote File from URL - McAfee ATDDetonates a File from a URL using the McAfee Advanced Threat Defense sandbox integration.
Detonate URL - ANYRUNDetonates one or more URLs using the ANYRUN sandbox integration.
Returns relevant reports to the War Room and url reputations to the context data.
Detonate URL - CrowdStrikeDetonate one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
Detonate URL - CuckooDetonating URL with Cuckoo
Detonate URL - GenericDetonate URL through active integrations that support URL detonation
Detonate URL - Group-IB TDS PolygonDetonate URL using Group-IB TDS Polygon integration.
Detonate URL - JoeSecurityDetonates one or more URLs using the Joe Security sandbox integration.
Returns relevant reports to the War Room and url reputations to the context data.
Detonate URL - LastlineDetonates a URL using the Lastline sandbox integration.
Detonate URL - Lastline v2Detonates a URL using the Lastline sandbox integration.
Detonate URL - McAfee ATDDetonates a URL using the McAfee Advanced Threat Defense sandbox integration.
Detonate URL - Phish.AIDetonates a URL using the Phish.AI integration.
Detonate URL - ThreatGridDetonate one or more URLs using the Threat Grid integration. This playbook returns relevant reports to the War Room and URL reputations to the context data.
Detonate URL - ThreatStreamDetonates one or more URLs using the Anomali ThreatStream v2 sandbox integration.
Returns relevant reports to the War Room and URL reputations to the context data.
Detonate URL - WildFire-v2Detonate a webpage or a remote file using the WildFire integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
The detonation supports the following file types -
APK, JAR, DOC, DOCX, RTF, OOXLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z
Digital Defense FrontlineVM - Old Vulnerabilities FoundThis will query Frontline.Cloud's active view for any critical level vulnerabilities found to be older than 90 days.
Digital Defense FrontlineVM - PAN-OS block assetsThis playbook will pull Panorama queried threat logs and check for any correlating assets that are found to have a minimum of high level vulnerabilities. If so, it will block the the IP using Panorama's PAN-OS - Block IP and URL - External Dynamic List playbook.
Digital Defense FrontlineVM - Scan Asset Not Recently ScannedThis playbook will pull the IP address from the details value of an incident and check if that asset has been scanned within the past 60 days. If not then it will prompt to perform a scan on the asset.
Digital Guardian Demo PlaybookThis playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a DG Watchlist.
Domain Enrichment - GenericDeprecated. Use "Domain Enrichment - Generic v2" playbook instead. Enrich Domain using one or more integrations.
Domain enrichment includes:
Domain reputation
Threat information
Domain Enrichment - Generic v2Enrich domains using one or more integrations.
Domain enrichment includes:
* Threat information
Email Address Enrichment - GenericDeprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Get email address reputation using one or more integrations
Email Address Enrichment - Generic v2Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Enrich email addresses. Email address enrichment involves:
- Getting information from Active Directory for internal addresses
- Getting the domain-squatting reputation for external addresses
Email Address Enrichment - Generic v2.1Enrich email addresses.
- Get information from Active Directory for internal addresses
- Get the domain-squatting reputation for external addresses
Employee Offboarding - DelegateThis playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Gather User InformationThis playbook gathers user information as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Retain & DeleteThis playbook playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Revoke PermissionsThis playbook revokes user permissions as part of the IT - Employee Offboarding playbook.
Employee Status SurveyNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Manages a crisis event where employees have to work remotely due to a pandemic, issues with the workplace or similar situations. Sends a questionnaire to all direct reports under a given manager. The questionnaire asks the employees for their health status and whether they need any help. The data is saved as employee indicators in Cortex XSOAR, while IT and HR incidents are created to provide assistance to employees who requested it. The questionnaire expires after 24 hours by default, and during that time the responses are processed every 5 minutes. These settings can be edited via the task that sends the questionnaire and the loop settings of the Continuously Process Survey Responses playbook, respectively.
Endace Search Archive and DownloadDeprecated. This playbook has been deprecated. This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
Endace Search Archive Download PCAPDeprecated. This playbook has been deprecated. Use Endace Search Archive Download\ \ PCAP v2 instead. This playbook uses Endace APIs to search, archive and download\ \ PCAP file from either a single EndaceProbe or many via the InvestigationManager.\ \ The workflow accepts inputs like ‚Äúthe date and time of the incident or a\ \ timeframe‚ÄĚ, ‚Äúsource or destination IP address of the incident‚ÄĚ, ‚Äúsource or destination\ \ IP port of the incident‚ÄĚ, ‚Äúprotocol of the incident‚ÄĚ and name of archive file.\ \ \nThe Workflow in this playbook - \n1. Finds the packet history related to the\ \ search items. Multiple Search Items in an argument field are OR'd. Search Items\ \ between multiple arguments are AND'd. \n2. A successful Search is followed by\ \ an auto archival process of matching packets on EndaceProbe which can be accessed\ \ from an investigation link on the Evidence Board and/or War Room board that can\ \ be used to start forensic analysis of the packets history on EndaceProbe.\n3.\ \ Finally Download the archived PCAP file to XSOAR system provided the file size\ \ is less than a user defined threshold say 10MB. Files greater than 10MB can be\ \ accessed or analyzed on EndaceProbe via \"Download PCAP link\" or \"Endace PivotToVision\ \ link\" displayed on Evidence Board.\n
Endace Search Archive Download PCAP v2This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like ‚Äúthe date and time of the incident or a timeframe‚ÄĚ, ‚Äúsource or destination IP address of the incident‚ÄĚ, ‚Äúsource or destination IP port of the incident‚ÄĚ, ‚Äúprotocol of the incident‚ÄĚ and name of archive file.
Required Inputs -
Either timeframe or start and timeframe or end and timeframe or start and end fields.
Either src_host_list or dest_host_list or ip fields.
Either src_port_list or dest_port_list or port fields.
archive_filename field is required
delete_archive field is required
download_threshold field is required

The Workflow in this playbook :
1. Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd.
2. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe.
3. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.
Endpoint data collectionDeprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available.
Endpoint Enrichment - Cylance Protect v2Enriches endpoints using the Cylance Protect v2 integration.
Endpoint Enrichment - GenericDeprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an Endpoint Hostname using one or more integrations
Endpoint Enrichment - Generic v2Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an endpoint by hostname using one or more integrations.
Currently, the following integrations are supported:
- Active Directory
- McAfee ePolicy Orchestrator
- Carbon Black Enterprise Response
- Cylance Protect
- CrowdStrike Falcon Host
Endpoint Enrichment - Generic v2.1Enrich an endpoint by hostname using one or more integrations.
Supported integrations:
- Active Directory Query v2
- McAfee ePolicy Orchestrator
- Carbon Black Enterprise Response v2
- Cylance Protect v2
- CrowdStrike Falcon Host
- ExtraHop Reveal(x)
Endpoint Enrichment - XM CyberEnrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Malware Investigation - GenericThis playbook is triggered by a malware incident from an 'Endpoint' type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware.
Used sub-playbooks:
- Endpoint Enrichment - Generic v2.1
- Retrieve File from Endpoint - Generic
- Detonate File - Generic
- File Enrichment - Generic v2
- Calculate Severity - Generic v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
Enrich DXL with ATD verdictDeprecated. Use "Enrich DXL with ATD verdict v2" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL.
Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich DXL with ATD verdict v2Uses McAfee ATD to push any malicious verdicts over DXL.
Detonates a file in ATD and if malicious, pushes its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich Incident With Asset Details - RiskIQ Digital FootprintEnriches the incident with asset details, and enriches the asset with the incident URL on the RiskIQ Digital Footprint platform. This playbook also sends an email containing the owner's information to the primary or secondary contact of the asset and provides the user with an opportunity to update or remove the asset.
Supported integration:
- RiskIQ Digital Footprint
Enrich McAfee DXL using 3rd party sandboxDeprecated. Use "Enrich McAfee DXL using 3rd party sandbox v2" playbook instead. Example of bridging DXL to a third party sandbox.
Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich McAfee DXL using 3rd party sandbox v2Example of bridging DXL to a third party sandbox.
Detonate a file in 3rd party sandbox and if malicious, push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Entity Enrichment - GenericDeprecated. Use "Entity Enrichment - Generic v3" playbook instead. Enrich entities using one or more integrations
Entity Enrichment - Generic v2Enrich entities using one or more integrations
Entity Enrichment - Generic v3Enrich entities using one or more integrations.
Entity Enrichment - Phishing v2Enrich entities using one or more integrations
Exchange 2016 Search and DeleteRun a compliance search in Exchange Server 2016, and delete the results.
Expanse AttributionSubplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake and Panorama. Returns a list of potential owner BUs, owner Users, Device and Notes.
Expanse Behavior Severity UpdateThis playbook updates the severity of an Expanse Behavior incident based on the presence of other active Exposures for the IP address.
Expanse Enrich Cloud AssetsSubplaybook for Handle Expanse Incident playbooks.
This Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by:
- Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled).
- Searching IPs and FQDNs in Prisma Cloud inventory (requires Prisma Cloud).
Expanse Find Cloud IP Address Region and ServiceSubplaybook for Expanse Enrich Cloud Assets subplaybook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud feeds (i.e. AWS Feed) in XSOAR. CIDR Indicators must be tagged properly using the corresponding tags (i.e. AWS for AWS Feed): tags can be configured in the Feed Integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e. smaller CIDR such as /20 range wins over a bigger one such as /16).
Expanse Load-Create ListSubplaybook to support Expanse Handle Incident playbook.
Load a list to be used in Expanse playbook.
Create the list if it does not exist.
Export Single Alert to ServiceNow - PANW IoT 3rd Party IntegrationThis playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to ServiceNow.
Export Single Asset to SIEM - PANW IoT 3rd Party IntegrationThis playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to your SIEM.
Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party IntegrationThis playbook to handles incidents triggered in the PANW IoT (Zingbox) UI by sending the vulnerability to ServiceNow.
Extract and Enrich Expanse IndicatorsSubplaybook for Handle Expanse Incident playbooks.
Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents.
Enrichment is performed via enrichIndicators command and generic playbooks.
Returns the enriched indicators.
Extract Indicators - GenericDeprecated. We recommend using extractIndicators command instead.
Extract indicators from input data.
Extract Indicators From File - GenericDeprecated. Extracts indicators from a file.
Supported file types:
- PDF
- TXT
- HTM, HTML
- DOC, DOCX
Extract Indicators From File - Generic v2Extracts indicators from a file.
Supported file types:
- CSV
- PDF
- TXT
- HTM, HTML
- DOC, DOCX
- PPT
- PPTX
- RTF
- XLS
- XLSX
- XML
ExtraHop - CVE-2019-0708 (BlueKeep)This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.

MITIGATION OPTIONS
- Disable Remote Desktop Services if they are not required
- Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
- Configure firewalls to block traffic on TCP port 3389
ExtraHop - DefaultDefault playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Get Peers by HostGiven a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
ExtraHop - Ticket Tracking v2Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.
Failed Login Playbook - Slack v2Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.
Field Polling - GenericThis playbook polls a field to check if a specific value exists.
File Enrichment - File reputationGet file reputation using one or more integrations
File Enrichment - GenericDeprecated. Use "File Enrichment - Generic v2" playbook instead. Enrich a file using one or more integrations.

File enrichment includes:
File history
Threat information
* File reputation
File Enrichment - Generic v2Enrich a file using one or more integrations.

- Provide threat information
File Enrichment - Virus Total Private APIGet file information using the Virus Total Private API integration.
FireEye Helix Archive SearchCreate an archive search in FireEye Helix, and fetch the results as events.
FireEye Red Team Tools Investigation and ResponseThis playbook does the following:

Collect indicators to aid in your threat hunting process.
- Retrieve IOCs of FireEye red team tools.
- Discover IOCs of associated activity related to the infection.
- Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators
- Search endpoints with the FireEye red team tools CVEs.
- Search endpoint logs for FireEye red team tools hashes.
- Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
GDPR Breach NotificationThis playbook triggers by a GDPR breach incident, and then performs the required tasks that are detailed in GDPR Article 33.
The General Data Protection Regulation (the GDPR) is a regulation in EU law on data protection and privacy of individuals. The GDPR introduces the requirement for a personal data breach to be notified to the competent national supervisory authority and in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
***Disclaimer: This playbook does not ensure compliance to the GDPR regulation. Before using this playbook, we advise consulting with the relevant authority, and adjusting it to the organization's needs.
GenericPollingUse this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.
Get File Sample By Hash - Carbon Black Enterprise ResponseReturns to the war-room a file sample correlating to MD5 hashes in the input using Carbon Black Enterprise Response integration
Get File Sample By Hash - Cylance ProtectReturns to the war-room a file sample correlating to SHA256 hashes in the inputs using Cylance Protect integration
Get File Sample By Hash - Cylance Protect v2This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration.
Get File Sample By Hash - GenericDeprecated. Use "Get File Sample By Hash - Generic v2" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products
Get File Sample By Hash - Generic v2This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:
- Get File Sample By Hash - Carbon Black Enterprise Response
- Get File Sample By Hash - Cylance Protect v2
Get File Sample By Hash - Generic v3'This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:'
- Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2.
- Get the threat (file) attached to a specific SHA256 hash - Cylance Protect v2.
Get File Sample From Path - Carbon Black Enterprise ResponseReturns a file sample to the war-room from a path on an endpoint using Carbon Black Enterprise Response
Get File Sample From Path - D2Returns a file sample to the war-room from a path on an endpoint using Demisto Dissolvable Agent (D2)

Input:
Credentials - credentials to use when trying to deploy Demisto Dissolvable Agent (D2) (default: Admin)
${Endpoint.Hostname} - deploy agent on target endpoint
* ${File.Path} - file's path to collect
Get File Sample From Path - GenericReturns a file sample to the war-room from a path on an endpoint using one or more integrations

inputs:
* UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Get File Sample From Path - Generic V2This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Get File Sample From Path - VMware Carbon Black EDR - Live Response APIThis playbook retrieves a file from a path on an endpoint using VMware Carbon Black EDR (Live Response API).
Make sure to provide the Carbon Black sensor ID of the endpoint from which you want to retrieve the file.
Get Original Email - EWSUse this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment.

You must have the necessary permissions in the EWS integration to execute global search: eDiscovery
Get Original Email - GenericUse this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment.

You must have the necessary permissions in your email service to execute global search.

- EWS: eDiscovery
- Gmail: Google Apps Domain-Wide Delegation of Authority
Get Original Email - GmailUse this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment.

You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority
Get the binary file from Carbon Black by its MD5 hashThis playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data.
Google Vault - Display ResultsThis is a playbook for queuing and displaying vault search result
Google Vault - Search DriveThis is a playbook for performing Google Vault search in Drive accounts and display the results.
Google Vault - Search GroupsThis is a playbook for performing Google Vault search in Groups and display the results.
Google Vault - Search MailThis is a playbook for performing Google Vault search in Mail accounts and display the results.
Handle Darktrace Model BreachHandles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and giving the ability to acknowledge the model breach and close the incident.
Handle Expanse IncidentMain Playbook to Handle Expanse Incidents.

There are several phases:
1. Enrichment: all the related information from the incident is extracted and related Indicators (types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.
2. Validation: the found IP and FQDN are correlated with the information available in other products:
- Risky or non-compliant communications to and from the IP with external IPs as flagged in Expanse's Behavior
- Firewall logs from Cortex Data Lake, Panorama and Splunk
- User information from Active Directory
- Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2)
- IP and FQDN from Prisma Cloud inventory
3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company).
4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
5. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as:
- Tagging the asset in Expanse with a specific Organization Unit tag
- Blocking the service on PAN-OS (if a Firewall is deployed in front of the service)
- Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the Analyst confirms it)
- Adding the service to a Vulnerability Management system
- Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory)
Handle Expanse Incident - Attribution OnlyShorter version of Handle Expanse Incident playbook with only the Attribution part.

There are several phases:
1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.
2. Validation: the found IP and FQDN are correlated with the information available in other products:
- Risky or non-compliant communications to and from the IP with external IPs as flagged in Expanse's Behavior
- Firewall logs from Cortex Data Lake, Panorama and Splunk
- User information from Active Directory
- Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2)
- IP and FQDN from Prisma Cloud inventory
3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company).
4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
Handle Hello World AlertThis is a playbook which will handle the alerts coming from the Hello World service
Handle Hello World Premium AlertThis is a playbook which will handle the alerts coming from the Hello World Premium service
Handle Shadow IT IncidentThis Playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found.

This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process.
Handle TD eventsPlaybook to enrich TD events
HelloWorld ScanThis Playbook simulates a vulnerability scan using the "HelloWorld" sample integration. It's used to demonstrate how to use the GenericPolling mechanism to run jobs that take several seconds or minutes to complete. It is designed to be used as a subplaybook, but you can also use it as a standalone playbook, by providing the ${Endpoint.Hostname} input in the Context.

Other inputs include the report output format (JSON context or File attached), and the Interval/Timeouts to use for polling the scan status until it's complete.
HIPAA - Breach NotificationUSA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI).
The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services.
This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Hostname And IP Address Investigation And Remediation - ChronicleThis playbook receives ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.
Humio QueryJob PollRun and poll a Humio Query Job
Hunt Extracted HashesDeprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\ \ files using regular expressions and then hunts for hashes on endpoints in the organization\ \ using available tools.\nThe playbook supports multiple types of attachments. For\ \ the full supported attachments list, refer to \"Extract Indicators From\ \ File - Generic v2\".
Hunt Extracted Hashes V2This playbook extracts IOCs from the incident details and attached files using regular expressions and then hunts for hashes on endpoints in the organization using available tools.
The playbook supports multiple types of attachments. For the full supported attachments list, refer to "Extract Indicators From File - Generic v2".
Hunt for bad IOCsDeprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools.
Hunting C&C Communication PlaybookDeprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications.
Hybrid-analysis quick-scanUse this playbook to run quick-scan command with generic-polling
IAM - App SyncSyncs users to apps from which the user was added or removed. The playbook utilizes the "IAM Configuration" incident type to determine which integration instance the command needs to execute in. It creates or disables the user according to the fetched event type, tracks errors if there are any, and assigns an analyst to review the incident when needed.
IAM - ConfigurationAs the default playbook for the "IAM - Configuration" incident type, when an "IAM - Configuration" incident is created this playbook runs automatically and closes any previous incidents of the same type.
IAM - New HireThis playbook creates users across all available organization applications from new hire events fetched from Workday.
IAM - Rehire UserThis playbook set a user's status in the organization to rehired by updating the incident information and User Profile indicator with values indicating a rehire, and enabling the account in the supported apps.
IAM - Sync UserThis playbook runs on fetched Workday events. The events are changes to employee data, which in turn require a CRUD operation across your organization's apps. The playbook examines the data received from Workday, and provisions the changes in a User Profile indicator in Cortex XSOAR as well as all the supported IAM integrations that are active.
IAM - Terminate UserThis playbook sets the user status to terminated in the organization by updating the incident information and User Profile indicator with values indicating termination, and disabling the account in the supported apps.
IAM - Test InstancesThis playbook is used to test configured Identity Lifecycle Management integration instances by executing generic CRUD commands. If one of the instances fails to execute a command, the playbook will fail and the errors are printed to the Print Errors task at the end of the playbook.
IAM - Update UserThis playbook updates users in the organization by updating the incident information and User Profile indicator with the updated values, and updating the account in the supported apps. with the new information.
Illinois - Breach NotificationThis playbook helps an analyst determine if the breached data meets the criteria for breach notification according to Illinois law, and, if necessary, follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.
https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
Illusive - Data EnrichmentThis playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data
Illusive - Incident EscalationThis playbook is used for creating an automatic analysis of the Illusive's incident details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions.
Illusive-Collect-Forensics-On-DemandThis playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.
Illusive-Retrieve-IncidentThis playbook is used for retrieving an extensive view over a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected.
Impossible TravelerThis playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information
associated with the multiple application login attempts.

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance
in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.
Incremental Export Devices to ServiceNow - PANW IoT 3rd Party IntegrationPlaybook to be run every 15 minutes via a job. Each run will get incremental updates for devices to send to ServiceNow server.
Incremental Export to Cisco ISE - PANW IoT 3rd Party IntegrationPlaybook to be run every 15 minutes via a job. Each run will get incremental updates for devices, and will update or create new endpoints in Cisco ISE with PANW IOT discovered attributes (ISE custom attributes).
Incremental Export to SIEM - PANW IoT 3rd Party IntegrationThis playbook should be run as a job at an interval of every 15 minutes. Each run will get incremental updates for devices, alerts, and vulnerabilities and send CEF syslogs to the configured SIEM server.
Indicator Pivoting - DomainTools IrisPivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address.
Integrations and Incidents Health Check - Running ScriptsThis playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for running failed integrations and failed incidents scripts. The playbook may run separately from the main playbook to run health tests on enabled integrations and open incidents.
Intezer - Analyze by hashAnalyze the given file hash on Intezer Analyze and enrich the file reputation. Supports SHA256, SHA1, and MD5.
Intezer - Analyze Uploaded fileUpload a file to Intezer Analyze to analyze and enrich the file reputation. (up to 32mb)
Intezer - scan hostUses Demisto D2 agent to scan a host using Intezer scanner.

Input:
Hostname (default: ${Endpoint.Hostname})
OS (default: windows)
* Credentials (default: Admin)
Investigate On Bad Domain Matches - ChronicleUse this playbook to investigate and remediate Bad IOC domain matches with recent activity found in the enterprise, as well as notify the SOC lead and network team about the matches.
Supported Integrations:
- Chronicle
- Whois
- Mail Sender (New)
- Palo Alto Networks PAN-OS
- Palo Alto Networks AutoFocus v2
IP Enrichment - External - Generic v2Enrich IP addresses using one or more integrations.

- Resolve IP addresses to hostnames (DNS)
- Provide threat information
- Separate internal and external addresses
IP Enrichment - GenericDeprecated. Enrich IP using one or more integrations.

IP enrichment includes:
Resolve IP to Hostname (DNS)
Threat information
Separate internal and external addresses
IP reputation
* For internal addresses, get host information
IP Enrichment - Generic v2Enrich IP addresses using one or more integrations.

- Resolve IP addresses to hostnames (DNS)
- Provide threat information
- Separate internal and external IP addresses
- For internal IP addresses, get host information
IP Enrichment - Internal - Generic v2Enrich Internal IP addresses using one or more integrations.

- Resolve IP address to hostname (DNS)
- Separate internal and external IP addresses
- Get host information for IP addresses
IP Enrichment - XM CyberEnrich IP addresses using XM Cyber integration.
- Resolve IP address to entity
- Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
IP Reputation-GreyNoisePlaybook for the ip reputation command
IP Whitelist - AWS Security GroupSync a list of IP addresses to an AWS Security Group.
IP Whitelist - GCP FirewallSet a list of IP addresses in GCP firewall.
IP Whitelist And Exclusion - RiskIQ Digital FootprintWhitelists the IP Address(es) after checking if it should be whitelisted according to the user inputs provided. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag.
Isolate Endpoint - CybereasonThis playbook isolates an endpoint based on the hostname provided.
Isolate Endpoint - GenericThis playbook isolates a given endpoint using the following integrations:
- Carbon Black Enterprise Response
- Palo Alto Networks Traps
IT - Employee OffboardingThis playbook offboards company employees to maintain organizational security and prevent abuse of company resources. It streamlines the process of returning company property, delegates resources to the employee's manager, retains important data that is in possession of the employee, and deletes the user and user information if chosen to do so.
IT - Employee Offboarding - ManualThis playbook provides a manual alternative to the IT - Employee Offboarding playbook. The playbook guides the user in the process of manually offboarding an employee.
JOB - Cortex XDR query endpoint device control violationsA job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input.
The collected data, if found, will be generated for a new incident.
You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook.
The job includes an incident type with a dedicated layout to visualize the collected data.
To configure the job correctly:
1. Create a new recurring job.
2. Configure the recurring schedule.
3. Add a name.
4. Configure the type to XDR Device Control Violations.
5. Configure this playbook as the job playbook.
The scheduled run time and the timestamp relative date should be identical.
If the job recurs every 7 days, the timestamp should be 7 days as well.
JOB - Integrations and Incidents Health CheckYou should run this playbook as a scheduled job. The playbook checks the health of all enabled integrations and open incidents.
JOB - Integrations and Incidents Health Check - Lists handlingThis playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for creating or updating related XSOAR lists.
JOB - XSOAR - Export Selected Custom ContentThis playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content.

Then you can import this new zip on the other XSOAR server.

Create a Job with the Type ‚ÄúXSOAR Dev to Prod‚ÄĚ, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs
JOB - XSOAR - Simple Dev to ProdThis playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content. You can import this new zip on the other XSOAR server, or push it to production using the Demisto REST API integration.

Please ensure to read the setup instructions for this pack carefully.

Create a Job with the Type ‚ÄúXSOAR Dev to Prod‚ÄĚ, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs
Launch Scan - Tenable.scLaunches an existing Tenable.sc scan by scan ID and waits for the scan to finish by polling its status in pre-defined intervals.
List Device Events - ChronicleThis playbook receives ChronicleAsset identifier information and provides a list of events related to each one of them.
Supported integration:
- Chronicle
Logz.Io Handle AlertHandles a Logz.io Alert by retrieving the events that generated it.
Logz.io Indicator HuntingThis playbook queries Logz.io in order to hunt indicators such as
File Hashes
IP Addresses
Domains \ URLS
And outputs the related users, IP addresses, host names for the indicators searched.
Lost / Stolen Device PlaybookThis manual playbook handles an incident for a lost or stolen device. It guides the analyst through various steps to validate the type of device and its contents, and the required steps for response and remediation. Initial incident details should be the name of the reporting person or ID of the SIEM alert/incident, and description of the lost device.
LSASS Credential DumpinThis playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers.
Malware Investigation - GenericDeprecated. Use "Endpoint Malware Investigation - Generic" playbook instead. Investigate a malware using one or more integrations
Malware Investigation - Generic - SetupDeprecated. Verify file sample and hostname information for the "Malware Investigation - Generic" playbook.
If the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations
Malware Investigation - ManualMaster playbook for investigating suspected malware presence on an endpoint.
Labels:
- System: the hostname for the endpoint being investigated
Malware Playbook - ManualDeprecated. Use "Malware Investigation - Manual" playbook instead. Master playbook for investigating suspected malware presence on an endpoint.
Labels:
- System: the hostname for the endpoint being investigated
MAR - Endpoint data collectionUse McAfee Active Response to collect data from an endpoint for IR purposes (requires ePO as well)

Input:
* Hostname (Default: ${Endpoint.Hostname})
McAfee ePO Endpoint Compliance PlaybookDeprecated. Use "McAfee ePO Endpoint Compliance Playbook v2" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures
McAfee ePO Endpoint Compliance Playbook v2Discover endpoints that are not using the latest McAfee AV Signatures
McAfee ePO Endpoint Connectivity Diagnostics Playbook v2Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to a valid state.
McAfee ePO Repository Compliance PlaybookDeprecated. Use "McAfee ePO Repository Compliance Playbook v2" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
McAfee ePO Repository Compliance Playbook v2Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
Mirror ServiceNow TicketMirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow.
It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments.

To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring.

FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed.

In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR.
You can add the new layout as a tab to existing layouts using the Edit Layout page.
NetOps - Firewall Version and Content UpgradeNetwork operations playbook that updates the version and content of the firewall. You must have Superuser permissions to update the PAN-OS version.
NetOps - Upgrade PAN-OS Firewall DeviceNetwork operations playbook that upgrades the firewall. You must have Superuser permissions to update the PAN-OS version. Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key.
New York - Breach NotificationThis playbook helps an analyst determine if the breached data meets the criteria for breach notification according to New York State law, and, if necessary, follows through with the notification procedures.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

Sources:
https://ag.ny.gov/internet/data-breach
https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf
https://www.nysenate.gov/legislation/laws/GBS/899-AA
Nexpose - Create and Download ReportUse this playbook as a sub-playbook to configure a report and download it.
This playbook implements polling by continuously running the nexpose-get-report-status command until the operation completes.
The remote action should have the following structure:

1. Initiate the operation - insert the type of the report (sites, scan, or assets) and it's additional arguments if required.
2. Poll to check if the operation completed.
3. Get the results of the operation.
NIST - Handling an Incident TemplateThis playbook contains the phases to handling an incident as described in the 'Handling an Incident' section of NIST - Computer Security Incident Handling Guide.

Handling an incident - Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
NIST - Lessons LearnedThis playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
O365 - Security And Compliance - SearchThis playbook performs the following steps:
1. Creates a compliance search.
2. Starts a compliance search.
3. Waits for the compliance search to complete.
4. Gets the results of the compliance search as an output.
5. Gets the preview results, if specified.
O365 - Security And Compliance - Search Action - DeleteThis playbook performs the following steps:
1. Creates a new compliance search action Purge - Hard or Soft.
2. Waits for the compliance search action to complete.
3. Retrieves the delete search action.
O365 - Security And Compliance - Search Action - PreviewThis playbook perform:
1. Creates a new compliance search action - Preview (Base on created compliance search).
2. Waits for the preview action to complete.
3. Retrieves the preview results.
O365 - Security And Compliance - Search And DeleteThis playbook performs the following steps:
1. Creates a compliance search.
2. Starts a compliance search.
3. Waits for the compliance search to complete.
4. Gets the results of the compliance search.
5. Gets the preview results, if specified.
6. Deletes the search results (Hard/Soft).
Office 365 Search and DeleteRun a ComplianceSearch on Office 365 and delete the results.
Palo Alto Networks - Endpoint Malware InvestigationThis playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report.
The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps.
Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories.
After the investigation review the incident is automatically closed.
Palo Alto Networks - Endpoint Malware Investigation v2Deprecated. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\ \ generated by Traps. The playbook performs host enrichment for the source host\ \ with Palo Alto Networks Traps, enriches information for the suspicious file with\ \ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\ \ for the extracted file. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. \nThe analyst can\ \ perform a manual memory dump for the suspected endpoint based on the incident’s\ \ severity, and choose to isolate the source endpoint with Traps.\nHunting tasks\ \ to find more endpoints that are infected is performed automatically based on a\ \ playbook input, and after all infected endpoints are found, remediation for all\ \ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\ \ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\ \ Custom URL Categories.\nAfter the investigation review the incident is automatically\ \ closed.
Palo Alto Networks - Endpoint Malware Investigation v3This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report.
The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps.
Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories.
After the investigation review the incident is automatically closed.
Palo Alto Networks - Hunting And Threat DetectionThis is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks.
With the received indicators, the playbook leverages data received by PANW products including, Cortex Data Lake, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators.
The output provided by the playbook facilitates pivoting searches for possibly affected IP addresses or users.
Palo Alto Networks - Malware RemediationThis Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
PAN-OS - Add Static RoutesThis playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance.
PAN-OS - Block Destination ServiceThis playbook blocks a Destination IP and Service (TCP or UDP port) by creating a rule for a specific Device Group on PAN-OS.
PAN-OS - Block Domain - External Dynamic ListThis playbook blocks Domains using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook
(otherwise the list will be configured), and adds the input Domains to the relevant lists.
PAN-OS - Block IP - Custom Block RuleThis playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall.
The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration.
PAN-OS - Block IP - Static Address GroupThis playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall.
The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration.

***Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.
PAN-OS - Block IP and URL - External Dynamic ListDeprecated. Use "PAN-OS - Block IP and URL - External Dynamic List v2" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists.
PAN-OS - Block IP and URL - External Dynamic List v2This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the inputted IPs and URLs to the relevant lists.
PAN-OS - Block URL - Custom URL CategoryThis playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories.
The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration.
PAN-OS - Create Or Edit RuleCreates or edits a Panorama rule and moves it into the desired position
PAN-OS - Delete Static RoutesThis playbook deletes a PAN-OS static route from the PAN-OS instance.
PAN-OS Commit ConfigurationCommit the PAN-OS Panorama or Firewall configuration.\nIf specified as Panorama, it also pushes the Policies to the specified Device Group in the instance.
PAN-OS DAG ConfigurationThis playbook utilizes the Dynamic Address Group (DAG) capability of PAN-OS.
DAG enables analysts to create a rule one time, where the group is the source/destination, and adds IP addresses dynamically without the need to commit the configuration every time.

The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag.

If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed.
PAN-OS EDL Service ConfigurationThis single-run playbook enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service for system indicators, and configures PAN-OS EDL Objects and the respective firewall policy rules.
The EDLs will continuously update for each indicator that matches the query syntax input in the playbook
(to validate to which indicators the query applied, you need to enter the query syntax from the indicator tab at the top of the playbook inputs window as well).
If both the IP and URL indicator types exist in the query, it sorts the indicators into two EDLs, IP and URL. If only one indicator type exists in the query, only one EDL is created.
The playbook then creates EDL objects directing to the indicator lists and firewall policy rules in PAN-OS.
- It is recommended to configure a dedicated EDL Service instance for the usage of this playbook.
- If necessary to edit or update the EDL query after this playbook run, use the panorama-edit-edl command and panorama integration to update the URL containing the indicator query syntax.
PAN-OS EDL SetupDeprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.
PAN-OS EDL Setup v3Configures an external dynamic list in PAN-OS.
In the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.
PAN-OS Log Forwarding Setup And ConfigurationThis playbook sets up and maintains log forwarding for the Panorama rulebase.
It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy.
You can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured.
PAN-OS Query Logs For IndicatorsThis playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP. hash, and url.
Panorama Query LogsQuery Panorama Logs of types: traffic, threat, url, data-filtering and wildfire.
PanoramaQueryTrafficLogsDeprecated. Use "PAN-OS Query Logs For Indicators" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device.
PANW - Hunting and threat detection by indicator typeDeprecated. Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead.
PANW - Hunting and threat detection by indicator type V2Deprecated. Integrations list - Cortex (Traps, PAN-OS, Analytics)\nThis is a multipurpose\ \ playbook used for hunting and threat detection. The playbook receives inputs based\ \ on hashes, IP addresses, or domain names provided manually or from outputs by\ \ other playbooks. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. \nThe output provided\ \ by the playbook facilitates pivoting searches for possibly affected hosts, IP\ \ addresses, or users.
PANW IoT Incident Handling with ServiceNowThis playbook creates a ServiceNow ticket after the incident is enriched by Palo Alto Networks IoT security portal (previously Zingbox Cloud).
PANW IoT ServiceNow Tickets CheckThis playbook should be used in a recurring Job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilties.
PANW Threat Vault - Signature SearchInitiates a Signature Search in Palo Alto Networks threat Vault.
PCAP AnalysisThis playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: Search for specific values in a PCAP file Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation.
PCAP File CarvingThis playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Parsing And Indicator EnrichmentThis playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which indicator types are to be enriched including, email, URLs, IP addresses. The user can specify in the inputs which indicators are internal or that will be treated as internal (not enriched). The user can also specify a specific regex pattern to search for. Another option is to specify the protocol types to be printed to context for data extraction. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and add an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP SearchThis playbook is used to parse and search within PCAP files. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which objects the playbook should search for in the PCAP. The values to search are IP addresses, CIDR ranges, and TCP or UDP ports or protocols. In the event that more than one input type was specified, specify in the QueryOperator input (such as IP addresses and TCP ports) if the PCAP filter query will use an AND or an OR operator between the inputs. Another option is to use advanced filters just like in Wireshark to use refined filters or for objects not specified in other inputs. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
Pentera Filter And Create IncidentSub-playbook to select specific entries from the Pentera action report and create incidents for each of the selected entries
Pentera Run Scan
Pentera Run Scan and Create IncidentsThis playbook will run a pentera task given the Pentera task name. It will generate the full action report that contains all the actions that Pentera made during the scan, and will create incidents according to the filters in the Pentera Filter and Create incidents playbook.
Phishing - CoreProvides a basic response to phishing incidents. Playbook features:
- Calculates reputation for all indicators
- Extracts indicators from email attachments
- Calculates severity for the incident based on indicator reputation
- Updates reporting user about investigation status
- Allows manual remediation of the incident
Phishing Investigation - GenericDeprecated. Use "Phishing Investigation - Generic v2" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
The final remediation tasks are always decided by a human analyst.
Phishing Investigation - Generic v2Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

The final remediation tasks are always decided by a human analyst.
Phishing Playbook - ManualMaster playbook for phishing incidents. This playbook is a manual playbook.
PhishingDemo-OnboardingThis playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the on-boarding integration and configure incidents of type Phishing. For more information, refer to the on-boarding walkthroughs in the help section.
PhishLabs - Populate IndicatorsThis playbook can be used in a job to populate indicators from PhishLabs, according to a defined period of time.
PhishLabs - Whitelist false positivesThis playbook can be used in a job to whitelist indicators from PhishLabs that were classified as false positives, according to a defined period of time.
PII Check - Breach NotificationThe playbook checks for all various types of PII, however, each state determines what is considered PII, and which PII requires notification.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

**Sources:
http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82
https://www.nysenate.gov/legislation/laws/GBS/899-AA
and more for each state.
Port Scan - External SourceThis playbook remediates port scans originating outside of the organization's network.
Port Scan - GenericInvestigates a port scan incident. The incident may originate from outside or within the network. The playbook:
- Enriches the hostname and IP address of the attacking endpoint
- Escalates the incident in case a critical asset is involved
- Hunts malware associated with the alerts across the organization
- Blocks detected malware associated with the incident
- Blocks IP addresses associated with the malware, if a malicious file was involved
- Pivots from the attacking IP to detect and block malicious domains hosted on the IP (for external scan)
- Isolates the attacking endpoint (for internal scan)
- Allows manual blocking of ports through an email communication task

If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively:
Splunk - "Splunk Indicator Hunting"
QRadar - "QRadar Indicator Hunting v2"
Palo Alto Networks Cortex Data Lake/Panorma/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2"
Port Scan - Internal SourceRemediates port scans originating within the network.
Prisma Access - Logout UserThis playbook forces logout of a specific user and computer from Prisma Access.
Prisma Access - Connection Health CheckUse the Prisma Access integration to run SSH CLI commands and query the connection states for all tunnels. If any tunnels are down - the playbook escalates to a manual task for remediation and provides recommendations on next steps in the task description. The playbook can be run as a job, or triggered from an incoming event to confirm an initial suspicion (such as a tunnel log from Cortex Data Lake) to validate that the issue still exists.
Prisma Access Whitelist Egress IPs on SaaS ServicesRetrieve Prisma Access Egress IP for specific geographic zones and populate in security groups within cloud services.
Prisma Cloud - Find AWS Resource by FQDNFind AWS resources by FQDN using Prisma Cloud inventory.
Supported services: EC2, Application Load Balancer, ECS, Route53, CloudFront, S3, API Gateway.
Prisma Cloud - Find AWS Resource by Public IPFind AWS resources by Public IP using Prisma Cloud inventory.
Supported services: EC2, Network Load Balancer, ECS, Route53.
Prisma Cloud - Find Azure Resource by FQDNFind Azure resources by FQDN using Prisma Cloud inventory.
Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, AKS, Azure Web Apps, Azure Storage.
Prisma Cloud - Find Azure Resource by Public IPFind Azure resources by Public IP using Prisma Cloud inventory.
Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, Azure Web Apps.
Prisma Cloud - Find GCP Resource by FQDNFind GCP resources by FQDN using Prisma Cloud inventory.
Supported services: Cloud DNS.
Prisma Cloud - Find GCP Resource by Public IPFind GCP resources by Public IP using Prisma Cloud inventory.
Supported services: GCE, Load Balancing, GKE.
Prisma Cloud - Find Public Cloud Resource by FQDNFind Public Cloud resources by FQDN using Prisma Cloud inventory
Prisma Cloud - Find Public Cloud Resource by Public IPFind Public Cloud resource by Public IP using Prisma Cloud inventory
Prisma Cloud Compute - Audit AlertDefault playbook for parsing Prisma Cloud Compute audit alerts
Prisma Cloud Compute - Cloud Discovery AlertDefault playbook for parsing Prisma Cloud Compute Cloud Discovery alerts
Prisma Cloud Compute - Compliance AlertDefault playbook for parsing Prisma Cloud Compute compliance alerts
Prisma Cloud Compute - Vulnerability AlertDefault playbook for parsing Prisma Cloud Compute vulnerability alerts
Prisma Cloud Correlate AlertsSearch alerts in Prisma Cloud for a specific asset ID and, if present in XSOAR, link them.
Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the AccountAWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events).
Prisma Cloud Remediation - AWS EC2 Instance MisconfigurationThis playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation:
- AWS Default Security Group Does Not Restrict All Traffic
- AWS Security Groups Allow Internet Traffic
- AWS Security Groups With Inbound Rule Overly Permissive To All Traffic
- AWS Security Groups allow internet traffic from internet to FTP-Data port (20)
- AWS Security Groups allow internet traffic from internet to FTP port (21)
- AWS Security Groups allow internet traffic to SSH port (22)
- AWS Security Groups allow internet traffic from internet to Telnet port (23)
- AWS Security Groups allow internet traffic from internet to SMTP port (25)
- AWS Security Groups allow internet traffic from internet to DNS port (53)
- AWS Security Groups allow internet traffic from internet to Windows RPC port (135)
- AWS Security Groups allow internet traffic from internet to NetBIOS port (137)
- AWS Security Groups allow internet traffic from internet to NetBIOS port (138)
- AWS Security Groups allow internet traffic from internet to CIFS port (445)
- AWS Security Groups allow internet traffic from internet to SQLServer port (1433)
- AWS Security Groups allow internet traffic from internet to SQLServer port (1434)
- AWS Security Groups allow internet traffic from internet to MYSQL port (3306)
- AWS Security Groups allow internet traffic from internet to RDP port (3389)
- AWS Security Groups allow internet traffic from internet to MSQL port (4333)
- AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432)
- AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)
- AWS Security Groups allow internet traffic from internet to VNC Server port (5900)
Prisma Cloud Remediation - AWS EC2 Security Group MisconfigurationThis playbook remediates the Prisma Cloud AWS EC2 alerts generated by the following policies:
- AWS Default Security Group Does Not Restrict All Traffic
- AWS Security Groups Allow Internet Traffic
- AWS Security Groups With Inbound Rule Overly Permissive To All Traffic
Prisma Cloud Remediation - AWS IAM Password Policy MisconfigurationThis playbook remediates the following Prisma Cloud AWS IAM password policy alerts.

Prisma Cloud policies remediated:
- AWS IAM password policy allows password reuse
- AWS IAM password policy does not expire in 90 days
- AWS IAM password policy does not have a lowercase character
- AWS IAM password policy does not have a minimum of 14 characters
- AWS IAM password policy does not have a number
- AWS IAM password policy does not have a symbol
- AWS IAM password policy does not have a uppercase character
- AWS IAM password policy does not have password expiration period
- AWS IAM Password policy is insecure
Prisma Cloud Remediation - AWS IAM Policy MisconfigurationThis playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps.
Prisma Cloud Remediation - AWS Inactive Users For More Than 30 DaysTo increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time.

To remediate Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password.
Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP PortThis playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked.
Prisma Cloud Remediation - GCP Kubernetes Engine Cluster MisconfigurationThis playbook remediates the following Prisma Cloud GCP Kubernetes Engine Cluster alerts.

Prisma Cloud policies remediated:

GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
GCP Kubernetes Engine Clusters have Master authorized networks disabled
GCP Kubernetes Engine Clusters have Network policy disabled
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
GCP Kubernetes Engine Clusters have binary authorization disabled
GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled
GCP Kubernetes cluster intra-node visibility disabled
Prisma Cloud Remediation - GCP Kubernetes Engine MisconfigurationThis playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:
GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
GCP Kubernetes Engine Clusters have Master authorized networks disabled
GCP Kubernetes Engine Clusters have Network policy disabled
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
GCP Kubernetes Engine Clusters have binary authorization disabled
GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled
GCP Kubernetes cluster intra-node visibility disabled
Prisma Cloud Remediation - GCP VPC Network Firewall MisconfigurationThis playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts.

Prisma Cloud policies remediated:

- GCP Firewall rule allows internet traffic to FTP port (21)
- GCP Firewall rule allows internet traffic to HTTP port (80)
- GCP Firewall rule allows internet traffic to MongoDB port (27017)
- GCP Firewall rule allows internet traffic to MySQL DB port (3306)
- GCP Firewall rule allows internet traffic to Oracle DB port (1521)
- GCP Firewall rule allows internet traffic to PostgreSQL port (5432)
- GCP Firewall rule allows internet traffic to RDP port (3389)
- GCP Firewall rule allows internet traffic to SSH port (22)
- GCP Firewall rule allows internet traffic to Telnet port (23)
- GCP Firewall rule allows internet traffic to DNS port (53)
- GCP Firewall rule allows internet traffic to Microsoft-DS port (445)
- GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)
- GCP Firewall rule allows internet traffic to POP3 port (110)
- GCP Firewall rule allows internet traffic to SMTP port (25)
- GCP Default Firewall rule should not have any rules (except http and https)
- GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network MisconfigurationThis playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps.

Remediation:

- GCP project is using the default network
- GCP Firewall rule allows internet traffic to FTP port (21)
- GCP Firewall rule allows internet traffic to HTTP port (80)
- GCP Firewall rule allows internet traffic to MongoDB port (27017)
- GCP Firewall rule allows internet traffic to MySQL DB port (3306)
- GCP Firewall rule allows internet traffic to Oracle DB port (1521)
- GCP Firewall rule allows internet traffic to PostgreSQL port (5432)
- GCP Firewall rule allows internet traffic to RDP port (3389)
- GCP Firewall rule allows internet traffic to SSH port (22)
- GCP Firewall rule allows internet traffic to Telnet port (23)
- GCP Firewall rule allows internet traffic to DNS port (53)
- GCP Firewall rule allows internet traffic to Microsoft-DS port (445)
- GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)
- GCP Firewall rule allows internet traffic to POP3 port (110)
- GCP Firewall rule allows internet traffic to SMTP port (25)
- GCP Default Firewall rule should not have any rules (except http and https)
- GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Project MisconfigurationThis playbook remediates the following Prisma Cloud GCP VPC Network Project alerts.

Prisma Cloud policies remediated:

- GCP project is using the default network
Process Email - Add custom fieldsDeprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields
Process Email - CoreAdd email details to the relevant context entities and handle the case where original emails are attached.
Process Email - EWSProcess an EWS email
Process Email - GenericAdd email details to the relevant context entities and handle the case where original emails are attached.
Process Survey ResponseNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is in beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. This playbook processes the survery responses. It updates that the employee responded to the survey and what their health status is. If necessary, it opens IT or HR incidents, and updates the process survey tracker.
QRadar - Get offense correlationsDeprecated. DEPRECATED - Use the QRadar - Get offense correlations v2 instead.\"\nRun on a QRadar offense to get more information\n\n Get all correlations relevant to the offense\n Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n GetCorrelationLogs (default - False)\n MaxLogsCount (default - 20)
QRadar - Get offense correlations v2Run on a QRadar offense to get more information:

Get all correlations relevant to the offense
Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True")

Inputs:
GetCorrelationLogs (default: False)
MaxLogsCount (default: 20)
QRadar Indicator Hunting V2The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls.
QRadarCorrelationLogThis playbook retrieves the correlation logs of multiple QIDs.
QRadarFullSearchThis playbook runs a QRadar query and return its results to the context.
Quarantine Device in Cisco ISE - PANW IoT 3rd Party IntegrationPlaybook to handle incident triggered from PANW Iot (Zingbox) UI to quarantine a device in Cisco ISE.
Ransomware Exposure - RiskSenseThe ransomware exposure playbook reveals an organization's exposure to the specific vulnerabilities that are being exploited to launch ransomware attacks.
Ransomware Playbook - ManualMaster playbook for ransomware incidents. This playbook is a manual playbook.
Rapid IOC Hunting PlaybookDeprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files.
Recorded Future CVE IntelligenceCVE enrichment using Recorded Future intelligence.
Recorded Future CVE ReputationCVE reputation with Recorded Future SOAR enrichment.
Recorded Future Domain IntelligenceDomain enrichment using Recorded Future intelligence
Recorded Future Domain ReputationDomain reputation using Recorded Future SOAR enrichment
Recorded Future File IntelligenceFile enrichment using Recorded Future intelligence
Recorded Future File ReputationFile reputation using Recorded Future SOAR enrichment
Recorded Future IOC ReputationEntity Reputation using sub-playbooks
Recorded Future IP IntelligenceIP Address Enrichment using Recorded Future Intelligence
Recorded Future IP ReputationIP address reputation using Recorded Future SOAR enrichment
Recorded Future Threat AssessmentThreat Assessment using the Recorded Future SOAR Triage API and the context Phishing.
Recorded Future URL IntelligenceURL Enrichment using Recorded Future intelligence
Recorded Future URL ReputationURL reputation using Recorded Future SOAR enrichment
Remediate Message - Agari Phishing DefenseRemediates a given message id.
Residents Notification - Breach NotificationThis playbook is triggered by a breach notification playbook and is responsible for the resident notification process.
Retrieve Email Data - Agari Phishing DefenseRetrieve Email Data from one of the Integrations of Gmail, Mail Listener v2, EWS O365, Microsoft Graph Mail.
Retrieve File from Endpoint - GenericThis playbook retrieves a file sample from an endpoint using the following playbooks:
- Get File Sample From Path - Generic
- Get File Sample By Hash - Generic v2
Retrieve File from Endpoint - Generic V2'This playbook retrieves a file sample from an endpoint using the following playbooks:'
- Get File Sample From Path - Generic v2.
- Get File Sample By Hash - Generic v3.
RiskIQAsset Enrichment - RiskIQ Digital FootprintEnriches the "RiskIQAsset" type of indicators with basic information and CVEs detected for the asset, performs a vulnerability scan for "Host" and "IP Address" type of assets, and enriches received information in the context as well as provides the user to perform whitelisting of a list of "IP Address" type of assets. This playbook also enriches the detected CVEs. To select the indicators you want to enrich, go to playbook inputs, choose "from indicators" and set your query. For example type:RiskIQAsset etc. The default playbook query is "type:RiskIQAsset". In case indicators with specific "riskiqassettype" are to be enriched, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators.
Rubrik Polaris - Anomaly AnalysisMonitor the progress of a Rubrik Radar anamoly event and use Rubrik Sonar to check for data classification hits.
Run Panorama Best Practice AssessmentThis playbook runs the Palo Alto Best Practice Assessment checks for a PAN-OS instance.
Rundeck-job-execute-GenericThis playbook executes a job and exits when it successfully finishes.
SafeBreach - Compare and Validate Insight IndicatorsThis playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated.
SafeBreach - Create Incidents per Insight and Associate IndicatorsThis is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed".
SafeBreach - Process Non-Behavioral Insights FeedThis playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated.
A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator.
SafeBreach - Rerun InsightsThis is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed".
SafeBreach - Rerun Single InsightThis is a sub-playbook that reruns a single insight using a specified Insight Id as input. It is used to run insights one by one iteratively as part of the main rerun playbook - "SafeBreach Rerun Insights".
SailPoint IdentityIQ Disable User Account AccessChecks if the risk score of an identity exceeds a set threshold of 500 and disables the accounts.
SANS - Incident Handler's Handbook TemplateThis playbook contains the phases for handling an incident as they are described in the SANS Institute ‚ÄėIncident Handler's Handbook‚Äô by Patrick Kral.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Incident Handlers ChecklistThis playbook follows the "Incident Handler's Checklist" described in the SANS Institute ‚ÄėIncident Handler‚Äôs Handbook‚Äô by Patrick Kral.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Lessons LearnedThis playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute ‚ÄėIncident Handler‚Äôs Handbook‚Äô by Patrick Kral.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.
Scan and Isolate - XM CyberAn example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Scan Assets - NexposeStarts a Nexpose scan according to asset IP addresses or host names, and waits for the scan to finish by polling the scan status in pre-defined intervals.
Scan Site - NexposeStarts a Nexpose scan by site id and waits for the scan to finish by polling its status in pre-defined intervals.
Search And Delete Emails - EWSThis playbook searches EWS to identify and delete emails with similar attributes of a malicious email.
Search And Delete Emails - GenericThis playbook searches and delete emails with similar attributes of a malicious email.
Search Endpoints By Hash - Carbon Black ProtectionHunt for endpoint activity involving hash IOCs, using Carbon Black Protection.
Search Endpoints By Hash - Carbon Black ResponseDeprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black.
Search Endpoints By Hash - Carbon Black Response V2Hunt for malicious indicators using Carbon Black
Search Endpoints By Hash - CrowdStrikeHunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host
Search Endpoints By Hash - CybereasonHunt for endpoint activity involving hash, using Cybereason.
Search Endpoints By Hash - GenericDeprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools
Search Endpoints By Hash - Generic V2Hunt using available tools
Search Endpoints By Hash - TIEHunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well).

Input:
Hash (default, takes all deferent hashes from context)

Output:
All agents that files with "Hash" has been executed on (TIE)
* Enrich Agents info from ePO
Send Investigation Summary ReportsThis playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.
Send Investigation Summary Reports JobYou should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.
Sentinel One - Endpoint data collection# Collect endpoint information based on SentinelOne commands.

Input:
* Hostname (Default: ${Endpoint.Hostname})
ServiceNow Ticket State PollingUse ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed.
This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
Set up a Shift handover meetingThis playbook is used to create an online meeting for shift handover. Currently, this playbook supports Zoom.
Shift handoverThis playbook is used to set up shift handover meetings with all the accompanying processes such as creating an online meeting, creating a notification in a integrated chat app (for example Slack), creating a SOC manager briefing, and creating a display of the active incidents, team members who are on-call, and team members who are out of the office.
By modifying the playbook inputs you can decide whether to activate the Assign Active Incidents to Next Shift and whether a user who is out of the office will be taken into consideration.
Slack - General Failed Logins v2.1Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.
SolarStorm and SUNBURST Hunting and Response PlaybookThis playbook does the following:
Collect indicators to aid in your threat hunting process
- Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin) - Retrieve C2 domains and URLs associated with Sunburst - Discover IOCs of associated activity related to the infection - Generate an indicator list to block indicators with SUNBURST tags
Hunt for the SUNBURST backdoor
- Query firewall logs to detect network activity - Search endpoint logs for Sunburst hashes to detect presence on hosts
If compromised hosts are found then:
- Notify security team to review and trigger remediation response actions - Fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Splunk Indicator HuntingThis playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.
Tanium - Ask QuestionThis playbook used generic polling to gets question result.
Tanium - Get Saved Question ResultThis playbook used generic polling to gets saved question result.
Tanium Demo PlaybookThis playbook shows how to use automation scripts to interact with Tanium.
Tenable.io ScanRun a Tenable.io scan
Threat Hunting - ChronicleUse this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them.
Supported Integrations:
- Chronicle
- Whois
TIE - IOC HuntHunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well).

Input:
Hash (default, takes all deferent hashes from context)

Output:
All agents that files with "Hash" has been executed on (TIE)
* Enrich Agents info from ePO
TIM - Add All Indicator Types To SIEMThis playbook runs sub playbooks that send indicators to your SIEM. To select the indicators you want to add, go to playbook inputs, choose ‚Äúfrom indicators‚ÄĚ and set your query. For example tags:approved_black, approved_white etc. The purpose of the playbook is to send to SIEM only indicators that have been processed and tagged accordingly after an automatic or manual review process. The default playbook query is"
(type:ip or type:file or type:Domain or type:URL) -tags:pending_review and (tags:approved_black or tags:approved_white or tags:approved_watchlist)"
In case more indicator types need to be sent to the SIEM, the query must be edited accordingly.
TIM - Add Bad Hash Indicators To SIEMThis playbook recives indicators from its parent playbook
and provides the indicators as inputs for the sub-playbooks that push the indicators
to the SIEM.
TIM - Add Domain Indicators To SIEMThis playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM.
TIM - Add IP Indicators To SIEMTIM playbook - This playbook receives indicators from its parent playbook
and provides the indicators as inputs for the sub-playbooks that push the indicators
to your SIEM.
TIM - Add Url Indicators To SIEMTIM playbook - This playbook receives indicators from its parent playbook
and provides the indicators as inputs for the sub-playbooks that push the indicators
to your SIEM.
TIM - ArcSight Add Bad Hash IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
TIM - ArcSight Add Domain IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.
TIM - ArcSight Add IP IndicatorsThis playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
TIM - ArcSight Add Url IndicatorsThis playbook queries indicators based on a pre-defined
query or results from a parent playbook and adds the resulting indicators to an ArcSight
Active List. The Active List ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
TIM - Indicator Auto ProcessingThis playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be blacklisted. For example IP indicators that belong to business partners or important hashes we wish to not process. Additional sub playbooks can be added for improving the business logic and tagging according to the user's needs. This playbook doesn't have its own indicator query as it processes indicators provided by the parent playbook query. To enable the playbook, provide the relevant list names in the sub playbook indicators, such as the ApprovedHashList, OrganizationsExternalIPListName, BusinessPartnersIPListName, etc. Also be sure to append the results of additional sub playbooks to Set indicators to Process Indicators for the additional playbooks results to be in the outputs.
TIM - Indicators Exclusion By Related IncidentsThis playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance.
TIM - Process AWS indicatorsThis playbook handles the tagging of AWS indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - Process Azure indicatorsThis playbook handles the tagging of Azure indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - Process CIDR Indicators By SizeThis playbook processes CIDR indicators of both IPV4 and IPV6. By specifying in the inputs the maximum number of hosts allowed per CIDR, the playbook tags any CIDR that exceeds the number as pending_review. If the maximum CIDR size is not specified in the inputs, the playbook does not run.
TIM - Process Domain Age With WhoisThis playbook compares the domain creation time against a provided time value such as one month ago. The period can be configured within the playbook inputs MinimumAgeOfDomainMonths or MinimumAgeOfDomainHours. The playbook calculates the timestamp for the relevant period and compares it to the domain creation time value provided by Whois. The domains are outputted accordingly if they were created before or after the compared time, respectively.
TIM - Process Domain Registrant With WhoisThis playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.
TIM - Process Domains With WhoisThis playbook uses several sub playbooks to process and tag indicators based on the results of the Whois tool.
TIM - Process File Indicators With File Hash TypeThis playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5.
TIM - Process Indicators - Fully AutomatedThis playbook tags indicators ingested from high reliability feeds. The playbook is triggered due to a Cortex XSOAR job. The indicators are tagged as approved_white, approved_black, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR etc.
TIM - Process Indicators - Manual ReviewThis playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review.
To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
TIM - Process Indicators Against Approved Hash ListThis playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.
TIM - Process Indicators Against Business Partners Domains ListThis playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly.
TIM - Process Indicators Against Business Partners IP ListThis playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly.
TIM - Process Indicators Against Business Partners URL ListThis playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner urls, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner urls.
TIM - Process Indicators Against Organizations External IP ListThis playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses, and tags the indicators accordingly.
TIM - Process Office365 indicatorsThis playbook handles the tagging of Office365 indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - QRadar Add Bad Hash IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Domain IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add IP IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Url IndicatorsThis playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - Review Indicators ManuallyThis playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_black', 'approved_white', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators.
TIM - Review Indicators Manually For WhitelistingThis playbook helps analysts manage the manual process of whitelisting indicators from cloud providers, apps, services etc . The playbook indicator query is set to search for indicators that have the 'whitelist_review' tag. The playbooks layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags such as, 'approved_black', 'approved_white', etc. Once the analyst completes the review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'whitelist review' tag from the indicators.
TIM - Run Enrichment For All Indicator TypesThis playbook performs enrichment on indicators
based on playbook query, as specified in the playbook
inputs. This playbook needs to be used with caution as it might use up the user
enrichment integration's API license when running enrichment for large amounts of
indicators. Example queries can be "tags:example_tag" for indicators with a specific tag. For a specific feed name"
the query will be "sourceBrands:example_feed". For a specifc reputation the query will be "reputation:None" etc.
TIM - Run Enrichment For Domain IndicatorsThis playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
TIM - Run Enrichment For Hash IndicatorsThis playbook processes indicators by enriching indicators
based on the indicator feed's reputation, as specified in the playbook
inputs. This playbook needs to be used with caution as it might use up the user
enrichment integration's API license when running enrichment for large amounts of
indicators.
TIM - Run Enrichment For IP IndicatorsThis playbook processes indicators by enriching indicators
based on the indicator feed's reputation, as specified in the playbook
inputs. This playbook needs to be used with caution as it might use up the user
enrichment integration's API license when running enrichment for large amounts of
indicators.
TIM - Run Enrichment For Url IndicatorsThis playbook processes indicators by enriching indicators
based on the indicator feed's reputation, as specified in the playbook
inputs. This playbook needs to be used with caution as it might use up the user
enrichment integration's API license when running enrichment for large amounts of
indicators.
Traps Blacklist FileThis playbook accepts a file SHA256 and adds it to a blacklist using Traps integration.
Traps Isolate EndpointThis playbook accepts an endpoint ID from Traps integration and performs isolation on this endpoint.
Traps Quarantine EventThis playbook accepts a file hash and quarantines this file using Traps.
Traps Retrieve And Download FilesUse this playbook to retrieve and download files.
Traps Scan EndpointUse this playbook to initiate an endpoint scan and retrieve the scan results.
TrendMicro Malware Alert PlaybookHandles a TrendMicro Malware Alert (After Alet has been classified)
This incident was created from the classifier playbook
Tufin - Enrich IP Address(es)Enrich a single IP using SecureTrack. Returns information such as the associated zones, network objects and policies for the address, and if the address is network device.
Tufin - Enrich Source & Destination IP InformationEnrich source and destination IP information using SecureTrack. Returns information such as the associated zones, network objects and policies for the addresses, if the addresses are network devices, and a topology map from source to destination.
Tufin - Get Application Information from SecureAppSearch SecureApp by application name and retrieve basic application information and all application connections.
Tufin - Get Network Device Info by IP AddressUse a device's IP address to gather information about the device, including basic device information, USP zone(s), and policies related to the device.
Tufin - Investigate Network AlertExample Playbook utilizing the Tufin integration to enrich a network alert and perform containment, if needed.

Requires the following incident details: Source IP, Destination IP, Destination Ports
Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party IntegrationHandles incidents triggered from PANW Iot (Zingbox) UI to un-quarantine a device in Cisco ISE.
Update Or Remove Assets - RiskIQ Digital FootprintUsing various user inputs, this playbook checks if the user wants to update or remove an asset, and performs the respective actions.
Supported integration:
- RiskIQ Digital Footprint
Uptycs - Bad IP IncidentGet information about processes which open connections to known Bad IP's
Uptycs - Outbound Connection to Threat IOC IncidentGet information about connections from IOC incidents.
URL Enrichment - GenericDeprecated. Use "URL Enrichment - Generic v2" playbook instead. Enrich URL using one or more integrations.

URL enrichment includes:
Verify URL SSL
Threat information
URL reputaiton
Take URL screenshot
URL Enrichment - Generic v2Enrich URLs using one or more integrations.

URL enrichment includes:
SSL verification for URLs
Threat information
* Providing of URL screenshots
US - Breach NotificationThis playbook is triggered by a breach notification incident and then proceeds to the breach notification playbook for the relevant state.

DISCLAIMER: Please consult with your legal team before implementing this playbook.
Vulnerability Handling - NexposeManage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools.

Before you run this playbook, run the "Vulnerability Management - Nexpose (Job)" playbook.
Vulnerability Handling - QualysDeprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.

Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook.
Vulnerability Handling - Qualys - Add custom fields to default layoutDeprecated. Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.
Vulnerability Management - Nexpose (Job)Manage assets vulnerabilities using Nexpose.

This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities.
The incidents are created by querying Nexpose for the input assets vulnerability list.
You can define the minimum severity (minSeverity) that incidents are created for.
Duplicate incidents are not created for the same asset ID and the Nexpose ID.

This playbook is a part of a series of playbooks for Nexpose vulnerability management and remediation.
For this series of playbooks to run successfully, create a Job and do the following:
1. Assign this playbook to the Job
2. Enter the relevant assets' hostnames in the playbook inputs (comma separated list).
3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Nexpose" playbook.
Vulnerability Management - Qualys (Job)Use the latest Qualys report to manage vulnerabilities.

This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities.
The incidents are created from the latest version of the report determined by the report timestamp.
You can define the minimum severity (minSeverity) that incidents are created for.
Duplicate incidents are not created for the same asset ID and QID.

This playbook is a part of a series of playbooks for Qualys vulnerability management and remediation.
For this series of playbooks to run successfully, create a Job and do the following:
1. Assign this playbook to the Job
2. Enter the Qualys XML report name into the "Details" field
3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Qualys" playbook.
Vulnerability Scan - RiskIQ Digital Footprint - Tenable.ioPerforms a vulnerability scan for an asset of type "Host" and "IP Address" using Tenable.io integration.
Wait Until DatetimePauses execution until the date and time that was specified in the plabyook input is reached.
WildFire - Detonate fileDetonate one or more files using the Wildfire integration. This playbook
returns relevant reports to the War Room and file reputations to the context data.
The detonation supports the following file types -
APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS
xMatters - Example Conditional ActionsExample playbook showing how to use the Trigger and Wait sub-playbook to fire an event to xMatters and wait for a response from a user. This playbook then inspects the user's chosen response and branches accordingly.
xMatters - Wait for ResponseTrigger an xMatters workflow to notify a user for a response.

Scripts#

NameDescription
AbuseIPDBPopulateIndicatorsExtracts blacklisted IP addresses from AbuseIPDB, and Populates Indicators accordingly.
ActiveUsersD2Get active users from a D2 agent and parsed them into context
AddEvidenceAdds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
AddKeyToListAdds/Replaces a key in key/value store backed by an XSOAR list.
ADGetUserUse Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).
If no filter is provided, the result will show all users.
AlgosecCreateTicketCreates a new FireFlow change request
AlgosecGetApplicationsFind applications containing network objects related to IP address using BusinessFlow
AlgosecGetNetworkObjectFind network objects related to IP address
AlgosecGetTicketRetrieves a FireFlow change request by its ID
AlgosecQueryPerforms a batch traffic simulation query using Firewall Analyzer
AnalyzeMemImageUse Volatility to run common memory image analysis commands
AnalyzeOSXGet file and url reputation for osxcollector result.
will use VirusTotal for Url checks, and IBM XForce for MD5 checks.
maxchecks : for
system : system name to run agent on.
section : the type check that OSXCollector should run.
AquatoneDiscoveraquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
ArcherCreateSecurityIncidentThis script is used to simplify the process of creating a new record in Archer. You can add fields that you want in the record as script arguments and or in the code and have a newly created record easily.

This automation is currently used for Archer application 75 (Security Incidents) but can be altered to any other application by entering another application Id as input and or modifying the default ApplicationId value in the arguments.
Another option would be to duplicate this script and adjust it to the new application Id.

Please note that if you will change it to work with another application some of the argument defined fields might need to be changed as they belong to application 75.
ArcherUpdateSecurityIncidentThis script is used to simplify the process of updating a new record in Archer. You can add fields that you want in the record as script arguments and or in the code and have a newly created record easily.

This automation fields are currently used for Archer application 75 (Security Incidents) but can be altered to any other application by modifying the fields in the code.

Please note that if you will change it to work with another application some of the argument defined fields might need to be changed as they belong to application 75.
Another option would be to duplicate this script and adjust it to the new application Id
AreValuesEqualCheck whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
AssignAnalystToIncidentAssign analyst to incident.
By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users).
Otherwise, the analyst will be picked according to the 'assignBy' arguments.
machine-learning: DBot will calculated and decide who is the best analyst for the job.
top-user: The user that is most commonly owns this type of incident
less-busy-user: The less busy analyst will be picked to be the incident owner.
online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users).
current: The user that executed the command
AssignAnalystToIncidentOOOAssigns analysts who are not out of the office to the shift handover incident. Use the ManageOOOusers automation to add or remove analysts from the out-of-office list.
AssignToNextShiftOOORandomly assigns the active incidents to on call analysts (requires shift management). This automation works with the other out-of-office automations to ensure only available analysts are assigned to the active incidents.
ATDDetonateDetonate File or URL through McAfee ATD
AutorunsCollect Autoruns items from an endpoint and hashes for each item.
Uses a d2 agent to run SysInternals Autoruns.
AwsCreateImageDeprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsCreateVolumeSnapshotDeprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsGetInstanceInfoDeprecated. Get AWS EC2 instance details
AwsRunInstanceDeprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsStartInstanceDeprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsStopInstanceDeprecated. This script is deprecated. Use the AWS-EC2 integration instead.
Base64EncodeWill encode an input using Base64 format.
Base64EncodeV2Encodes an input to Base64 format.
Base64ListToFileConverts Base64 file in a list to a binary file and upload to warroom
BetweenDatesWhether value is within a date range.
BetweenHoursChecks whether the given value is within the specified time (hour) range.
BinarySearchPySearch for a binary on an endpoint using Carbon Black
BlockIPDeprecated. Blocks IP in configured firewall
BMCHelixRemedyforceCreateIncidentThis script is used to simplify the process of creating the incident in BMC Helix Remedyforce. The Script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided.
BMCHelixRemedyforceCreateServiceRequestThis script is used to simplify the process of creating a service request in BMC Helix Remedyforce. The script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided.
BuildEWSQueryReturns an EWS query according to the automation's arguments.
CalculateEntropyCalculates the entropy for the given data.
CalculateTimeDifferenceCalculate the time difference, in minutes
CBAlertsGet the list of Alerts from Carbon Black Enterprise Response. Supports the same arguments as the cb-alerts command.
CBEventsReturns all events associated with a process query
CBLiveFetchFilesFetch all of the files from the endpoints where they were found using Cb Live.
CBLiveGetFile_V2This automation translates an endpoints hostname/IP to the Carbon Black sensor ID.
It then opens a session to the endpoint to download the given file paths and closes the session.
CBLiveProcessListRuns 'process list' command on a remote Carbon Black sensor
CBPApproveHashApprove/whitelist a hash in CBEP/Bit9.
CBPBanHashBan/blacklist a hash in CBEP/Bit9.
CBPCatalogFindHashSearch the CBP/Bit9 file catalog for an md5 hash.
CBPFindComputerFind a computer in CBEP/Bit9.
CBPFindRuleFind the rule state for a hash value in CBEP/Bit9.
CBSensorsList Carbon Black sensors
CBSessionsList Carbon Black sessions
CBWatchlistsDisplay all watchlists and their details, queries, etc.
CEFParserParse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
CertificateExtractExtract fields from a certificate file and return the standard context.
CertificateReputationEnrich and calculate the reputation of a certificate indicator.
CertificatesTroubleshootExports all certificate-related information from the Python Docker container and decodes it using RFC. It also retrieves the certificate located in the specified endpoint.
ChangeRemediationSLAOnSevChangeChanges the remediation SLA once a change in incident severity occurs.
This is done automatically and the changes can be configured to your needs.
CheckContextValueThis script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
CheckFieldValueThis script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
CheckPointDownloadBackupDownloads the Check Point policy backup to the Cortex XSOAR War Room.
CheckpointFWBackupStatusConnect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation.
CheckpointFWCreateBackupConnect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation.
CheckSenderFor phishing incidents, check the sender of the email via Pipl search
CheckSenderDomainDistanceGet the string distance for the sender from our domain
checkValueGets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly.
If an array is returned. the first value will be the decision making value.
ChronicleAssetEventsForHostnameWidgetScriptDisplays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its hostname is passed as an asset identifier.
ChronicleAssetEventsForIPWidgetScriptDisplays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its IP address is passed as an asset identifier.
ChronicleAssetEventsForMACWidgetScriptDisplays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its MAC address is passed as an asset identifier.
ChronicleAssetEventsForProductIDWidgetScriptDisplays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its product ID is passed as an asset identifier.
ChronicleAssetIdentifierScriptCollect all asset identifiers - Hostname, IP address and MAC address in the context.
ChronicleDBotScoreWidgetScriptShows the DBot Score and reputation of the Domain.
ChronicleDomainIntelligenceSourcesWidgetScriptShows the details of sources in the Chronicle Domain Intelligence Sources section of the incident.
ChronicleIsolatedHostnameWidgetScriptNotifies if the hostname associated with the ChronicleAsset is isolated or not.
ChronicleIsolatedIPWidgetScriptNotifies if the IP address associated with the ChronicleAsset is isolated or not.
ChronicleListDeviceEventsByEventTypeWidgetScriptDisplays a pie chart of the number of events, categorized by its event type, fetched for all the identifiers of the ChronicleAsset.
ChroniclePotentiallyBlockedIPWidgetScriptNotifies if the IP address associated with the ChronicleAsset is potentially blocked or not.
ClassifierNotifyAdminDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
CloseInvestigationAsDuplicateClose the current investigation as duplicate to other investigation.
CloseTaskSetContextClose a task with the closeComplete command, but then also add the "comments" to the incident context.
Code42DownloadFileGets all departing employees and alerts for each.
Code42FileSearchGets all departing employees and alerts for each.
Code42GetDepartingEmployeesGets all departing employees.
Code42GetHighRiskEmployeesGets all high risk employees.
Code42UsernameSearchSearches exposure events for the given username.
commentsToContextTakes the comments of a given entry ID and stores them in the incident context, under a provided context key.
For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
CommonD2Common code that will be merged into each D2 agent script when it runs
CommonServerUserPowerShellCommon user defined code that will be merged into each server script when it runs
CommonServerUserPythonCommon user defined code that will be merged into each server script when it runs
CommonUserServerCommon user defined code that will be merged into each server script when it runs
ConferIncidentDetailsDeprecated. Display the incident details retrieved from Confer in a readable format
ConferSetSeverityDeprecated. Set incident severity according to indicators found in an confer alert
ContainsCreditCardInfoCheck if a given value is true. Will return 'no' otherwise
ContextContainsThis script searches for a value in a context path.
ContextFilterFilter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
ContextGetEmailsGets all email addresses in context, excluding ones given.
ContextGetHashesGets hashes (MD5,SHA1,SHA256) from context.
ContextGetIpsGets all IP addresses in context, excluding ones given.
ContextGetPathForStringSearches for string in context and returns context path, returns null if not found.
ContextSearchForStringSearches for string in a path in context. If path is null, string will be searched in full context.
ConvertDatetoUTCConverts a date from a different timezone to UTC timezone.
ConvertDomainToURLsConverts Domain(s) to URL(s).
ConvertKeysToTableFieldFormatConvert object keys to match table keys.
Use when mapping object/collection to table (grid) field.
(Array of objects/collections is also supported).
Example:
Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true }
Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }
ConvertTableToHTMLConverts a given array to an HTML table
ConvertXmlFileToJsonConverts XML file entry to JSON format
ConvertXmlToJsonConverts XML string to JSON format
CopyFileD2Copy a file from an entry to the destination path on the specified system. This uses the dissolvable agent's HTTPS communication channel rather than scp or other out-of-band methods.
Example usage: !CopyFileD2 destpath=/home/sansforensics/collectedbinaries/inv8_suspiciousPE1.exe.evil entryid=21@8 system=Analyst1
CopyLinkedAnalystNotesCopies the anaylst notes from the integrations and incidents grid.
CopyNotesToIncidentCopy all entries marked as notes from current incident to another incident.
CountArraySizeCount an array size
CreateArrayWill create an array object in context from given string input
CreateCertificateCreates a public key (.cer file), a private key (.pfx) file, and a Base64 encoded private key to use to authenticate the EWS Extension Online Powershell v2 integration.
CreateChannelWrapperCreates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both Slack v2 and Microsoft Teams.
CreateEmailHtmlBodyThis script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists).
Placeholders are marked in DT format (i.e. ${incident.id} for incident ID).
Available placeholders for example:
- ${incident.labels.Email/from}
- ${incident.name}
- ${object.value}
See incident Context Data menu for available placeholders

Note: Sending emails require an active Mail Sender integration instance.
CreateIndicatorsFromSTIXCreates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
CrowdStrikeApiModuleCommon CrowdStrike code that will be appended to each CrowdStrike integration when it is deployed to enable oauth2 authentication automatically.
CrowdStrikeStreamingPreProcessingPre processing script for CrowdStrike Streaming, will not duplicate incidents(detection events) that have same Host.
Will add entry to duplicate(older) incident notifying a duplicate incident was ignored.
CrowdStrikeUrlParseThis will parse a CrowdStrike alert URL and pull out the Agent ID. Useful for passing to the cs-device-details command to return device details.

It also returns the detection ID for the specific alert. Used for modifying the state of the alert for CrowdStrike.
CryptoCurrenciesFormatVerifies that a crypto address is valid and only returns the address if it is valid.
CSVFeedApiModuleCommon code that will be appended into each CSV feed integration when it's deployed
CuckooDetonateFileAdds a file to the list of pending tasks. Returns the ID of the newly created task.
CuckooDetonateURLDetonate a URL in Cuckoo sandbox.
CuckooDisplayReportDisplay the contents of a Cuckoo report file from a war room entry.
CuckooGetReportGet the report for a completed analysis.
CuckooGetScreenshotDetonate the file in Cuckoo sandbox.
CuckooTaskStatusCheck the current status of a task in Cuckoo sandbox.
CustomContentBundleWizardryThis automation accepts an XSOAR custom content bundle, and either returns a list of file names, or the files you want to the war room.
CutCut a string by delimiter and return specific fields.
Example
=================
input: "A-B-C-D-E"
delimiter: "-"
fields: "1,5"

return: "A-E"
cveReputationProvides severity of CVE based on CVSS score where available
CybereasonPreProcessingExamplePreprocessing script to run when fetching Cybereason malops.
Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.
CYFileRepDeprecated. This script is deprecated. Use the Cylance integration instead.
CyrenCountryLookupTranslates a country code provided by Cyren products to a full country name (English). Uses ISO 3166-1 alpha-2 for the lookup.
CyrenThreatInDepthRandomHuntThis script will take a random Cyren Threat InDepth feed indicator and its relationships and create a threat hunting incident for you.

The main query parameters for the resulting, internal indicator query are:

1. Seen for the first time by the feed source within the last 7 days.
2. No investigation on it yet.
3. Must have relationships to other indicators.
CyrenThreatInDepthRelatedWidgetShows feed relationship data in a table with the ability to navigate
CyrenThreatInDepthRelatedWidgetQuickShows limited feed relationship data in a table with the ability to navigate
CyrenThreatInDepthRenderRelatedShows feed relationship data in a table with the ability to navigate
D2ActiveUsersShow local accounts
D2AutorunsUsed by the server-side script "Autoruns".
Uses d2 agent on endpoint to run SysInternals Autoruns.
D2DropDrop a file to a target system by providing its path on the server. Use CopyFileD2 instead in most cases.
This is a utility agent script to be used inside server scripts. See CopyFileD2 for an example.
D2ExecExecute the command and pack the output back to server
D2ExecuteCommandRun a D2 built-in command on a D2 agent
D2GetFileGet a file from a system using D2 agent.
D2GetSystemLogCopy a log file. Works on Windows and Unix (differently - take a peek at the script itself to see how).
D2HardwareShow system information
D2O365ComplianceSearchAssign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server.
D2O365SearchAndDeleteAssign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server.
D2PEDumpExecute PE Dump on a file that is under /tmp somewhere. Used internally by StaticAnalyze
D2ProcessesShow running processes
D2RegQueryUse the D2 agent to retrieve the value of the given registry key.
D2RekallUse the D2 agent to execute Rekall on a system (usually a forensics workstation) and analyze a memory dump file located on that system.
D2ServicesShow system services
D2UsersShow local accounts
D2WinpmemUse the D2 agent to carry the winpmem binary to a system and return the memory dump file to the war room. This usually takes a while, depending on amount of RAM in the target system.
DamSensorDownPre processing script for Emails from Mcafee DAM, about sensor disconnected.
Will ignore second notification, but will process first notification into incidents.
DataDomainReputationDeprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.
DBotAverageScoreCalculates average score for each indicator from context
DBotClosedIncidentsPercentageData output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts
DBotPredictPhishingEvaluationDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotPredictTextLabelDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotPreparePhishingDataDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotTrainTextClassifierDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DecodeMimeHeaderDecode MIME base64 headers.
DefaultIncidentClassifierDeprecated. Classify an incident from mail.
DeleteContextDelete field from context
DemistoCreateListCreate a new list
DemistoGetIncidentTasksByStateGet all tasks for specific incident by the given state.
DemistoLeaveAllInvestigationsLeaves all investigations that the user is part of (clears out the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server.
DemistoLinkIncidentsLink two or more incidents
DemistoLogsBundleGets Demisto Log Bundle to war room
DemistoSendInviteSend invitation to join Demisto
DemistoUploadFileDeprecated. We recommend using DemistoUploadFileV2 instead.
DemistoUploadFileToIncidentCopies a file from this incident to the specified incident. The file is uploaded as an attachment to the specified incident’s Summary page, and recorded as an entry in the War Room.
DisplayCVEChartScriptDisplay bar chart based on cves count and trending cves count with the different colors.
DisplayEmailHtmlDisplays the original email in HTML format.
DisplayHTMLDisplay HTML in the War Room.
DockerHardeningCheckChecks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html
DomainReputationA context script for Domain entities
DTThis automation allows the usage of DT scripts within playbooks transformers
DumpJSONDumps a json from context key input, and returns a json object string result
EmailAskUserAsk a user a question via email and process the reply directly into the investigation.
EmailAskUserResponseExtract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
EmailDomainSquattingReputationCheck if an email address's domain is trying to squat other domain using Levenshtein distance algorithm
emailFieldTriggeredSends email to incident owner when selected field is triggered.
EmailReputationA context script for Email entities
EncodeToAsciiInput Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
EPOFindSystemReturn system info
EsmExampleDeprecated. Example of using McAfee ESM (Nitro) with advanced filters
ExampleJSScriptThis is only an example script, to showcase how to use and write JavaScript scripts
ExchangeAssignRoleDeprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExchangeDeleteMailDeprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExchangeSearchMailboxDeprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExifReadRead image files metadata and provide Exif tags
ExistsCheck if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
ExpanseAggregateAttributionDeviceAggregate entries from multiple sources into AttributionDevice
ExpanseAggregateAttributionIPAggregate entries from multiple sources into AttributionIP
ExpanseAggregateAttributionUserAggregate entries from multiple sources into AttributionUser
ExpanseEnrichAttributionThis script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details
ExpanseEvidenceDynamicSectionDynamic Section script used in Expanse Issue layout to display the Latest Evidence structure.
ExpanseGenerateIssueMapWidgetScriptThis widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown.
ExpansePrintSuggestionsGenerates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner.
ExpanseRefreshIssueAssetsScript to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context.
ExportToCSVExport given array to csv file
ExportToXLSXExports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
ExposeIncidentOwnerExpose the incident owner into IncidentOwner context key
ExtFilterAdvanced Filter. It enables you to make filters with complex conditions.
ExtractDomainFromIOCDomainMatchResExtracts domain and its details from the Chronicle IOC Domain match response.
ExtractHTMLTablesFind tables inside HTML and extract the contents into objects using the following logic:
- If table has a single column, just create an array of strings from the values
- If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value
- If table has a header row, create a table of objects where attribute names are the headers
- If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3...
FailedInstancesExecutes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
FeedRelatedIndicatorsWidgetWidget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
FetchFileD2Get a File from using a D2 agent
FetchIndicatorsFromFileFetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
FileCreateAndUploadWill create a file (using the given data input or entry ID) and upload it to current investigation war room.
FileReputationA context script for hash entities
findIncidentsWithIndicatorLookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output
FireEyeDetonateFileDetonate File or URL through FireEye
FPDeleteRuleDeletes a rule in Forcepoint Triton.
FPSetRuleAdds (or updates existing) rule in Forcepoint Triton. Preserves order of rules and modifies policy in-place if a rule exists with the exact type and value.
GenerateInvestigationSummaryReportA script to generate investigation summary report in an automated way
Can be used in post-processing flow as well.
GeneratePANWIoTDeviceTableQueryForServiceNowGenerates a single query or query list with which to query in ServiceNow.
GeneratePasswordThis function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class.

The min* values all default to 0. This means that if the command is executed in this way:
!GeneratePassword max_lcase=10
It is possible that a password of length zero could be generated. It is therefore recommended to always include a min
* parameter that matches.

The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
GenerateRandomStringGenerates random string
GenerateRandomUUIDGenerates a random UUID (UUID 4).
GenerateSummaryReportsGenerate report summaries for the passed incidents.
GenericPollingScheduledTaskRuns the polling command repeatedly, completes a blocking manual task when polling is done.
GetCiscoISEActiveInstanceDetermines which configured Cisco ISE instance is in active/primary state and returns the name of the instance.
GetDomainDNSDetailsReturns DNS details for a domain
GetFailedTasksGets failed tasks details for incidents based on a query.
GetIndicatorDBotScoreAdd into the incident's context the system internal DBot score for the input indicator
GetInstancesReturns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
GetListRowParses a list by header and value.
getMlFeaturesDeprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
GetNumberOfUsersOnCallRetrieves the number of users who are currently on call.
GetOnCallHoursPerUserRetrieves the number of on call hours per user.
GetRolesPerShiftRetrieves the roles that are available per shift.
GetShiftsPerUserRetrieves the number of on-call hours per user.
GetStringsDistanceGet the string distance between inputString and compareString (could be a comma separated list) based on Levenshtein Distance algorithm.
GetTimeRetrieves the current date and time.
GetUsersOnCallRetrieves users who are currently on call.
GetUsersOOORetrieves users who are currently out of the office. The script use the OutOfOfficeListCleanup script to remove users from the out-of-office list whose 'off until day' is in the past.
GoogleappsRevokeUserRoleDeprecated. Deletes a role assignment.
GoogleAuthURLDeprecated. This script is deprecated. The demistobot endpoint is no longer supported.
GrrGetFilesDownloads files from specified machine without requiring approval
GrrGetFlowsLists flows launched on a given client
GrrGetHuntRenders hunt's summary
GrrGetHuntsRenders list of available hunts
GrrSetFlowsStarts a flow on a given client with given parameters
GrrSetHuntsHandles hunt creation request
GSuiteApiModuleCommon G Suite code that will be appended to each Google/GSuite integration when it is deployed.
HelloWorldPremiumScriptHello World Premium Script
HelloWorldScriptHello World Script
hideFieldsOnNewIncidentWhen you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
HighlightWordsHighlight words inside a given text.
httpSends http request. Returns the response as json.
HTTPFeedApiModuleCommon HTTP feed code that will be appended into each HTTP feed integration when it's deployed
IAMApiModuleCommon code that will be appended into each IAM integration when it's deployed.
If-Then-ElseA transformer for simple if-then-else logic.
ImpSfListEndpointsThe endpoints list request enables a client application to receive a list of all managed and unmanaged endpoints, with their basic details. This list can then be externally filtered or searched by the application to identify individual endpoints that might require action. For any such endpoint, the application can obtain fuller details (see Endpoint Details Request below) and if relevant change its enrollment status.
ImpSfRevokeUnaccessedDevicesGetting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail.
If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail
ImpSfScheduleTaskCreating a schedule task that's call ImpSfRevokeUnaccessedDevices:
Getting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail.
If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail
ImpSfSetEndpointStatusThe endpoint status request enables a client application to enroll an endpoint or revoke its enrollment. This is usually relevant for endpoints with pending status but can be done for endpoints with any current status. The endpoint needs to be specified by its ID, which can have been received from an endpoints list request, from a new endpoint notification, or from any other implemented manual or automated input.
IncapGetAppInfoUse this operation to retrieve a list of all the client applications
IncapGetDomainApproverEmailUse this operation to get the list of email addresses that can be used when adding an SSL site
IncapListSitesList sites for an account
IncapScheduleTaskThis script periodically runs the "IncapWhitelistCompliance" script, which queries the Incapsula monitored websites for white-list compliance (see script for further details).
The script then saves the new periodic ID into incident context under the "ScheduleTaskID" key for later use.
IncapWhitelistComplianceGet all sites from Incapsula.
For each site, the script, through a ssh server (one that should NOT be in the whitelist), make sure the site is compliant ( whitelist is being enforced ).
If not, a warning mail will be sent to the domain owner.
IncidentAddSystemAdd a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
IncidentsCheck-NumberofIncidentsNoOwnerHealth Check dynamic section, showing the number of unassigned incidents.
IncidentsCheck-NumberofIncidentsWithErrorsHealth Check dynamic section, showing the number of failed incidents.
IncidentsCheck-NumberofTotalEntriesErrorsHealth Check dynamic section, showing the total number of errors in failed incidents.
IncidentsCheck-PlaybooksFailingCommandsHealth Check dynamic section, showing the top ten commands of the failed incidents in a pie chart.
IncidentsCheck-PlaybooksHealthNamesHealth Check dynamic section, showing the top ten playbook names of the failed incidents in a bar chart.
IncidentsCheck-Widget-CommandsNamesData output script for populating the dashboard pie graph widget with the top failing incident commands.
IncidentsCheck-Widget-CreationDateData output script for populating the dashboard line graph widget with the creation date of failing incidents.
IncidentsCheck-Widget-IncidentsErrorsInfoData output script for populating the dashboard table graph widget with the information about failing incidents.
IncidentsCheck-Widget-NumberFailingIncidentsData output script for populating dashboard number graph widget with the number of failing incident.
IncidentsCheck-Widget-NumberofErrorsData output script for populating the dashboard number graph widget with the number of entries ID errors.
IncidentsCheck-Widget-PlaybookNamesData output script for populating the dashboard bar graph widget with the top failing playbooks name.
IncidentsCheck-Widget-UnassignedFailingIncidentsData output script for populating the dashboard number graph widget with the number of unassigned failing incidents.
IncreaseIncidentSeverityOptionally increases the incident severity to the new value if it is greater than the existing severity.
IndicatorMaliciousRatioCalculationReturn indicators appears in resolved incidents, and resolved incident ids.
InRangechecks if left side is in range of right side (from,to anotation)
e.g. - InRange left=4right=1,8 will return true.
InstancesCheck-FailedCategoriesHealth Check dynamic section, showing the top ten categories of the failed integrations in a pie chart.
InstancesCheck-NumberofEnabledInstancesHealth Check dynamic section, showing the total number of checked integrations.
InstancesCheck-NumberofFailedInstancesHealth Check dynamic section, showing the total number of failed integrations.
IntegrationsCheck-Widget-IntegrationsCategoryData output script for populating the dashboard pie graph widget with the failing integrations.
IntegrationsCheck-Widget-IntegrationsErrorsInfoData output script for populating the dashboard table graph widget with the information about failing integrations.
IntegrationsCheck-Widget-NumberCheckedData output script for populating the dashboard number graph widget with the number of checked integrations.
IntegrationsCheck-Widget-NumberFailingInstancesData output script for populating the dashboard number graph widget with the number of failing integrations.
IntezerRunScannerRunning the Intezer Endpoint Analysis Scanner
iot-security-alert-post-processingIoT alert post processing script to resolve the alert in IoT security portal using API
iot-security-check-servicenowClose the XSOAR incident if the IoT ServiceNow ticket was closed. This command should be run in a Job.
iot-security-get-raciIoT RACI model script
iot-security-vuln-post-processingIoT vulnerability post processing script to resolve the vulnerability incident in IoT security portal using API
IPReputationA context script for IP entities
IPToHostTry to get the hostname correlated with the input IP.
IsDemistoRestAPIInstanceAvailableChecks if the provided Demisto REST API instance is available for the XSOAR Simple Dev to Prod workflow.
IsEmailAddressInternalChecks if the email address is part of the internal domains
isErrorCheck whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
IsGreaterThanChecks if one number(float) as bigger than the other(float)
Returns yes: if first > second
Returns no: if first <= second
Returns exception if one of the inputs is not a number
IsIntegrationAvailableReturns 'yes' if integration brand is available. Otherwise returns 'no'
IsInternalHostNameChecks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
IsIPInRangesReturns yes if the IP is in one of the ranges provided, returns no otherwise.
IsListExistCheck if list exist in demisto lists.
IsMaliciousIndicatorFoundChecks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
IsTrueCheck if a given value is true. Will return 'no' otherwise
IsValueInArrayIndicates whether a given value is a member of given array
JiraCreateIssue-exampleThis script is used to simplify the process of creating a new Issue in Jira. You can add fields that you want in the record as script arguments and or in the code and have a newly created Issue easily.
JIRAPrintIssuePretty print JIRA issue into the incident war room
jmespathPerforms a JMESPath search on an input JSON format, when using a transformer.
JoinIfSingleElementOnlyReturn the single element in case the array has only 1 element in it, otherwise return the whole array
JSONFeedApiModuleCommon code that will be appended into each JSON Feed integration when it's deployed
JSONtoCSVConvert a JSON warroom output via EntryID to a CSV file.
LanguageDetectLanguage detection based on Google's language-detection.
LCMAcknowledgeHostDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMDetectedEntitiesDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMDetectedIndicatorsDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMHostsDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMIndicatorsForEntityDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMPathFinderScanHostDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMResolveHostDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMSetHostCommentDeprecated. This script is deprecated. LightCyber Magna is no longer available.
LessThanPercentageChecks if one percentage is less than another
Returns less: if firstPercentage < secondPercentage
Returns more: if firstPercentage >= secondPercentage
Returns exception if one of the inputs is not a float
LinkIncidentsWithRetryUse this script to avoid DB version errors when simultaneously running multiple linked incidents.
ListDeviceEventsList all of the events discovered within your enterprise on a particular device within 2 hours earlier than the current time.
listExecutedCommandsLists executed commands in War Room
LoadJSONLoads a json from string input, and returns a json object result
MaliciousRatioReputationSet indicator reputation to "suspicious" when malicious ratio is above threshold.
Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
ManageOOOusersAdds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of office.
MapValuesMap the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
MapValuesTransformerThis script converts the input value into another value using two lists. The input value is searched in the first list (input_values).
If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned.
If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value".

Example 1:

input_values = "1,2,3,4"
mapper_values = "4,3,2,1"
value = 3

Output would be "2"

Example 2:

input_values ="firstkey: datahere,secondkey: datathere"
mapper_values = "datathere,datahere"
value(dict)= {
"firstkey": "datahere"
}

Output would be:
{
"firstkey": "datathere"
}

The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed.

When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.
MarkAsEvidenceBySearchSearch entries in the war room for the pattern text, and mark them as evidence.
MarkAsNoteBySearchSearch entries in the war room for the pattern text, and mark as note to the entries found.
MarkAsNoteByTagMark entries as notes if they are tagged with given tag
MarkRelatedIncidentsMarks given incidents as related to current incident
MatchIPinCIDRIndicatorsMatch provided IP address in all the Indicators of type CIDR with the provided tags (longest match).
MatchRegexDeprecated. Use the MatchRegexV2 script instead.
MatchRegexV2Extracts regex data from the provided text. The script support groups and looping.
MathUtilScript will run the provided mathematical action on 2 provided values and produce a result.
The result can be stored on the context using the contextKey argument
MattermostAskUserAsk a user a question on Mattermost and expect a response. The response can also close a task (might be conditional) in a playbook.
MicrosoftApiModuleCommon Microsoft code that will be appended into each Microsoft integration when it's deployed
MicrosoftTeamsAskSend a team member or channel a question with predefined response options on Microsoft Teams. The response can be used to close a task (might be conditional) in a playbook.
MimecastFindEmailFind an email across all mailboxes, and return the list of mailboxes where the email was found, as well as Yes if the mail was found anywhere or No otherwise.
MimecastQueryquery mimecast emails
MITREIndicatorsByOpenIncidentsThis is a widget script returning MITRE indicators information for top indicators shown in incidents.
ModifyDateTimeTakes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.
NetwitnessQueryPerforms a query against the meta database
NetwitnessSAAddEventsToIncidentThis command will add new events to an existing NetWitness SA incident
NetwitnessSACreateIncidentCreate an incident inside NetWitness SA from a set of NetWitness events.
NetwitnessSAGetAvailableAssigneesReturns the available NetWitness SA users to be assigned to incidents
NexposeCreateIncidentsFromAssetsCreate incidents based on the Nexpose asset ID and vulnerability ID.
Duplicate incidents are not created for the same asset ID and vulnerability ID.
NexposeEmailParserParses nexpose report into a clear table that contain risk score and vulnerability count for each server,
And creates a new incident for each server.
NexposeEmailParserForVulnParses nexpose report into a clear table that contain risk score and vulnerability count for each server,
And creates a new incident for each server.
NexposeVulnExtractorParse a specific server nexpose response in to a table of vulnerabilities.
NotInContextVerificationNot in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
O365SearchEmailsSearch mails in office-365
OnboardingCleanupCleanup the incidents and indicators created by OnboardingIntegration
OnionURLReputationThis script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
OSQueryBasicQueryReturns the results from a basic OSQuery query on a remote Linux machine.
For more information read documentation at https://osquery.readthedocs.io/
OSQueryLoggedInUsersReturns logged in users details from a remote system using OSQuery
OSQueryOpenSocketsReturns open sockets details from a remote system using OSQuery
OSQueryProcessesReturns processes details from a remote system using OSQuery
OSQueryUsersReturns Users Table from a remote system using OSQuery
OsxcollectorExecute osxcollector on machine, can run ONLY on OSX
OutOfOfficeListCleanupRemoves any users from the out-of-office list whose 'off until day' is in the past.
PagerDutyAlertOnIncidentSend incident details to pagerduty (useful to include in playbooks)
PagerDutyAssignOnCallUserBy default assigns the first on-call user to an investigation (all incidents in the investigation will be owned by the on call user)
ParseCSVThis script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
ParseEmailFilesParse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
ParseExcelThe automation takes Excel file (entryID) as an input and parses its content to the war room and context
ParseJSONParse a given JSON string "value" to a representative object. Example: "{'a':'value'}" => { a: "value"}.
ParseWordDocTakes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
PcapFileExtractorThis automation extracts all possible files from a PCAP file.
PCAPMinerDeprecated. We recommend using PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
PcapMinerV2PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more.
This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either:
a) Use the pcap_filter parameter to filter your PCAP file and thus make is smaller.
b) Copy the automation and change the default timeout parameter to match your needs.
PDFUnlockerRemoving the password protection from a PDF file and adding a new file entry with the unlocked PDF.
PortListenCheckChecks whether a port was open on given host.
PreprocessEmailPreprocessing script for email communication layout.
This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread".

For more information about the preprocessing rules, refer to: https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing
PrintPrints text to war room (Markdown supported)
PrintContextPretty-print the contents of the playbook context
PrintErrorEntryPrints an error entry with a given message
PrintRawPrints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
PrismaCloudAttributionRecursively extracts specified fields from provided list of assets for Prisma Cloud attribution use case.
PTEnrichDeprecated. Enrich the given IP or domain with metadata, malware, osint
PublishEntriesToContextPublish entries to incident's context
PWEventPcapDownloadDownload PCAPs related to the requested events. Supports rate throttling.
PWObservationPcapDownloadDownload PCAPs related to the specified observations. Supports rate throttling.
QRadarFetchedEventsSumThis display the amount of fetched events vs the total amount of events in the offense.
QRadarMagnitudeThis enables to color the field according to the magnitude. The scale is
1-3 green
4-7 yellow
8-10 red
QRadarPrintAssetsThis script prints the assets fetched from the offense in a table format.
QRadarPrintEventsThis script prints the events fetched from the offense in a table format.
QualysCreateIncidentFromReportCreate incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID).
Duplicate incidents are not created for the same asset ID and QID.
ReadPDFFileV2Load a PDF file's content and metadata into context.
RecordedFutureDomainRiskListExtracts the domain risk list from Recorded Future and creates indicators accordingly.
RecordedFutureHashRiskListExtracts the hash risk list from Recorded Future and creates indicators accordingly.
RecordedFutureIPRiskListExtracts the IP risk list from Recorded Future and creates indicators accordingly.
RecordedFutureURLRiskListExtracts the URL risk list from Recorded Future and creates indicators accordingly.
RecordedFutureVulnerabilityRiskListExtracts the Vulnerability risk list from Recorded Future and creates indicators accordingly.
RegCollectValuesCollect values for the given registry path from all Windows systems in this investigation.
RegPathReputationBasicListsCheck the given registry path against a small blacklist (score 3), whitelist (score 1), and suspicious list (score 2). If the key matches neither, returns an answer of 0.
RegProbeBasicPerform a short probe of the specified system's registry - retrieve and display the values of a list of interesting keys
RemoteExecExecute a command on a remote machine (without installing a D2 agent)
RemoveKeyFromListRemoves a key in key/value store backed by an XSOAR list.
ResolveShortenedURLResolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api)
ReverseListReverse a list
e.g. ["Mars", "Jupiter", "Saturn"] => [ "Saturn", "Jupiter", "Mars"]

This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag)
RiskIQDigitalFootprintAssetDetailsWidgetScriptShows the detailed information of an asset identified as a "RiskIQAsset" type of indicator in the layout of the indicator.
RiskIQPassiveTotalComponentsScriptEnhancement script to enrich PassiveTotal components for Domain and IP type of indicators.
RiskIQPassiveTotalComponentsWidgetScriptSet widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalHostPairChildrenScriptEnhancement script to enrich PassiveTotal host pair of children for Domain and IP type of indicators.
RiskIQPassiveTotalHostPairParentsScriptEnhancement script to enrich PassiveTotal host pair of parents for Domain and IP type of indicators.
RiskIQPassiveTotalHostPairsChildrenWidgetScriptSet widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalHostPairsParentsWidgetScriptSet widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalPDNSScriptEnhancement script to enrich PDNS information for Domain and IP type of indicators.
RiskIQPassiveTotalPDNSWidgetScriptSet widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalSSLForIssuerEmailWidgetScriptSet widgets to custom layout in Email and RiskIQAsset type of indicators.
RiskIQPassiveTotalSSLForSubjectEmailWidgetScriptSet widgets to custom layout in Email and RiskIQAsset type of indicators.
RiskIQPassiveTotalSSLScriptEnhancement script to enrich SSL information for Email, File SHA-1 and RiskIQSerialNumber type of indicators.
RiskIQPassiveTotalSSLWidgetScriptSet widgets to custom layout in Email, RiskIQSerialNumber and File SHA-1 type of indicators.
RiskIQPassiveTotalTrackersScriptEnhancement script to enrich web trackers information for Domain and IP type of indicators.
RiskIQPassiveTotalTrackersWidgetScriptSet widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalWhoisScriptEnhancement script to enrich whois information for Domain and Email type of indicators.
RiskIQPassiveTotalWhoisWidgetScriptSet widgets to custom layout in Domain, Email and RiskIQ Asset type of indicators.
RiskSenseGetRansomewareCVEScriptThis script is a helper script of Ransomware Exposure - RiskSense playbook and retrieve information of cves and trending cves from host finding details.
RSAArcherManualFetchThis automation creates new incidents from RSA Archer.
RubrikSonarSensitiveHitsShows the Rubrik Polaris Sonar data classification results.
RunDockerCommandThis command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container.

We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
RunPollingCommandRuns a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task.
SalesforceAskUserAsk a user a question via Salesforce Chatter and process the reply directly into the investigation.
SandboxDetonateFileDeprecated. This script is deprecated. Use the available generic file detonation playbooks instead.
SbDownloadUse the Download API to have a client application download files generated by the Check Point Threat Prevention service: analysis reports, Threat Emulation sandbox outputs, and more. The request must have the ID of the file to download
SbQueryUse the Query API to have a client application look for either the analysis report of a specific file on the Check Point Threat Prevention service databases or the status of a file, uploaded for analysis
SbQuotaUse the Quote API to have a client application get the current license and quota status of the API Key that you use
SbUploadUse the Upload API to have a client application request that Check Point Threat Prevention modules scan and analyze a file. When you upload a file to the service, the file is encrypted. It is un-encrypted during analysis, and then deleted
ScheduleCommandSchedule a command to run inside the war room at a future time (once or reoccurring)
ScheduleGenericPollingCalled by the GenericPolling playbook, schedules the polling task.
SCPPullFilesTake a list of devices and pull a specific file (given by path) from each using SCP
SearchIncidentsV2Searches Demisto incidents
SearchIndicatorsDeprecated. Use the SixgillSearchIndicators script instead.
SendAllPANWIoTAssetsToSIEMRetrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server.
SendAllPANWIoTDevicesToCiscoISEGets all available devices from the IoT cloud and updates or creates them on Cisco ISE using the custom attributes.
SendAllPANWIoTDevicesToServiceNowGets all available devices from the IoT cloud and sends them to the ServiceNow. server
SendEmailOnSLABreachSends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started.
In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
SendEmailReplySend email reply
SendMessageToOnlineUsersSend message to Demisto online users over Email, Slack, Mattermost or all.
SendPANWIoTDevicesToCiscoISEThis script takes (as a required argument) custom attributes from PANW IoT cloud and creates or updates endpoints in ISE with the input custom attributes.
SEPCheckOutdatedEndpointsCheck if any endpoints are using an AV definition that is not the latest version.
ServiceNowApiModuleCommon ServiceNow code that will be appended to each ServiceNow integration when it is deployed to automatically enable OAuth2 authentication.
ServiceNowCreateIncidentThis script is used to wrap the generic create-record command in ServiceNow.
You can add fields that you want to create the record with as script arguments or in the
code and work with the records easily.
ServiceNowIncidentStatuspopulates the value of the ServiceNow Ticket State field and display it in a layout widget.
ServiceNowQueryIncidentThis script is used to wrap the generic query-table command in ServiceNow.
You can add fields that you want to use as inputs and outputs from the record as script arguments or in the
code and work with the records easily.
ServiceNowUpdateIncidentThis script is used to wrap the generic update-record command in ServiceNow.
You can add fields that you want to update the record with as script arguments or in the
code and work with the records easily.
SetSet a value in context under the key you entered.
SetByIncidentIdWorks the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default.
SetDateFieldSets a custom incident field with current date
SetGridFieldCreates a Grid table from items or key-value pairs.
SetMultipleValuesSet multiple keys/values to the context.
SetSeverityByScoreDeprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments.
SetTagsBySearchSearch entries in the war room for the pattern text, and set tags to the entries found.
SetTimeFill the current time in a custom incident field
ShowOnMapReturns a map entry with marker on the given coordinate (lat, lng).
ShowScheduledEntriesShow all scheduled entries for specific incident.
SixgillSearchIndicatorsSearch for Indicators
SlackAskSends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
SleepSleep for X seconds
SplunkEmailParserDeprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host.
SSDeepReputationCalculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
StaticAnalyzeFor phishing incidents, iterate on all attachments and run PE dump on each
StixCreatorGets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format.
StopScheduledTaskThis stops the scheduled task whose ID is given in the taskID argument.
StringContainsArrayChecks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.
StringLengthReturns the length of the string passed as argument
StringReplaceReplaces regex match/es in string.
Returns the string after replace was preformed.
StringsExtract strings from a file with optional filter - similar to binutils strings command
TaniumFilterComputersByIndexQueryFileDetailsGet the requested sensors from all machines where the Index Query File Details match the given filter.
E.g. !TaniumFilterQuestionByIndexQueryFileDetails sensors="Computer Name" filter_type=contains filter_value=Demisto limit=5
will be translated the following plain text Tanium question:
"Get Computer Name from all machines with any Index Query File Details[, , , , , , *, 5] containing "Demisto""
TAXII2ApiModuleCommon TAXII 2 code that will be appended into each TAXII 2 integration when it's deployed
TextFromHTMLExtract regular text from the given HTML
ticksToTimeConverting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
TimeStampCompareCompares a single timestamp to a list of timestamps.
TimeStampToDateConverts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field

e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'
TimeToNextShiftRetrieves the time left until the next shift begins.
TopMaliciousRatioIndicatorsFind the top malicious ratio indicators.
Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ToTableConvert an array to a nice table display. Usually, from the context.
TrendmicroAlertStatusGet last alerts
TrendmicroAntiMalwareEventRetrieveGet anti malware events
TrendMicroClassifierClassifying TrendMicro incidents
TrendMicroGetHostIDReturns a table of hosts and thers TrendMicro IDs
TrendMicroGetPolicyIDReturns a table of policies and their TrendMicro IDs
TrendmicroHostAntimalwareScanscan computers by host ID list
TrendmicroHostRetrieveAllGet all hosts info
TrendmicroSecurityProfileAssignToHostGet all security profiles
TrendmicroSecurityProfileRetrieveAllGet all security profiles
TrendmicroSystemEventRetrieveGet system events
UnEscapeIPsRemove escaping chars from IP
127[.]0[.]0[.]1 -> 127.0.0.1
UnEscapeURLsExtract URLs redirected by security tools like Proofpoint.
Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html
Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
UnPackFileUnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context.
supported types are:
7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
UnzipFileUnzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
URLDecodeConverts
https:%2F%2Fexample.com
into
https://example.com
URLNumberOfAdsFetches the numbers of ads in the given url
URLReputationA context script for URL entities
UrlscanGetHttpTransactionsThis script enables gives you the functionality of getting the http transactions made for a given URL using the UrlScan integration.
The proper use of this script, this while using it inside a playbook, is by going to the 'Advanced' section in the task that executes this script, and making sure to check the checkbox of 'Run without a worker' - this will cause the system to use much less resources in the polling action.
URLSSLVerificationVerify URL SSL certificate
UserEnrichADEnhancement automation for user type indicator, to enrich the user name from Active Directory data
UtilAnyResultsUtility script to use in playbooks - returns "yes" if the input is non-empty.
VerifyHumanReadableContainsVerify given entry contains a string
VerifyJSONVerifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
VolApihooksVolatility script for command apihooks
VolatilityExecute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command.
VolConnscanVolatility script for command connscan
VolDlllistVolatility script for command ldrmodules
VolGetProcWithMalNetConnVolatility script for getting the list of processes that have connections to ip address with bad reputation.
VolImageinfoVolatility script for command imageinfo
VolJsonExecute volatility with command and file as parameters and return output as json.
VolLDRModulesVolatility script for command ldrmodules
VolMalfindVolatility script for command ldrmodules
VolMalfindDumpAgentVolatility script for command ldrmodules
VolNetworkConnectionsVolatility script for finding all the network connections. This script runs through different commands based on the profile provided.
VolPSListVolatility script for command pslist
VolRawExecute volatility with command and file as parameters and returns raw output from stdout.
VolRunCmdsExecute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command.
WaitForKeyA simple loop to inspect the context for a specific key. If the key is not found after "iterations" loops, the script exits with a message.
WhereFieldEqualsReturn all items from the list where their given 'field' attribute is equal to 'equalTo' argument

E.g. !WhereFieldEquals with the following arguments:
- value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }]
- field='type'
- equalTo='IP'
- getField='name'

Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2']
XBInfoDeprecated. This script is deprecated. Use the Exabeam integration instead.
XBLockoutsDeprecated. This script is deprecated. Use the Exabeam integration instead.
XBNotableDeprecated. This script is deprecated. Use the Exabeam integration instead.
XBTimelineDeprecated. This script is deprecated. Use the Exabeam integration instead.
XBTriggeredRulesDeprecated. This script is deprecated. Use the Exabeam integration instead.
XBUserDeprecated. This script is deprecated. Use the Exabeam integration instead.
YaraScanPerforms a Yara scan on the specified files.
ZipFileZip a file and upload to war room

Content Release Notes#

NameDate
Content Release 21.3.0Published on 02 March 2021
Content Release 21.2.1Published on 16 February 2021
Content Release 21.2.0Published on 02 February 2021
Content Release 21.1.1Published on 19 January 2021
Content Release 21.1.0Published on 05 January 2021
Content Release 20.12.1Published on 22 December 2020
Content Release 20.12.0Published on 08 December 2020
Content Release 20.11.1Published on 22 November 2020
Content Release 20.11.0Published on 10 November 2020
Content Release 20.10.1Published on 27 October 2020
Content Release 20.10.0Published on 13 October 2020
Content Release 20.9.2Published on 30 September 2020
Content Release 20.9.1Published on 15 September 2020
Content Release 20.9.0Published on 1 September 2020
Content Release 20.8.2Published on 20 August 2020
Content Release 20.8.1Published on 16 August 2020
Content Release 20.8.0Published on 4 August 2020
Content Release 20.7.2Published on 22 July 2020
Content Release 20.7.1Published on 21 July 2020
Content Release 20.7.0Published on 07 July 2020
Content Release 20.6.1Published on 23 June 2020
Content Release 20.6.0Published on 09 June 2020
Content Release 20.5.3Published on 27 May 2020
Content Release 20.5.2Published on 26 May 2020
Content Release 20.5.1Published on 18 May 2020
Content Release 20.5.0Published on 12 May 2020
Content Release 20.4.1Published on 28 April 2020
Content Release 20.4.0Published on 14 April 2020
Content Release 20.3.4Published on 30 March 2020
Content Release 20.3.3Published on 17 March 2020
Content Release 20.3.2Published on 11 March 2020
Content Release 20.3.1Published on 04 March 2020
Content Release 20.2.4Published on 24 February 2020
Content Release 20.2.3Published on 18 February 2020
Content Release 20.2.2Published on 09 February 2020
Content Release 20.2.1Published on 6 February 2020
Content Release 20.2.0Published on 04 February 2020
Content Release 20.1.2Published on 21 January 2020
Content Release 20.1.1Published on 16 January 2020
Content Release 20.1.0Published on 07 January 2020
Content Release 19.12.1Published on 25 December 2019
Content Release 19.12.0Published on 10 December 2019
Content Release 19.11.1Published on 26 November 2019
Content Release 19.11.0Published on 12 November 2019
Content Release 19.10.3Published on 31 October 2019
Content Release 19.10.2Published on 29 October 2019
Content Release 19.10.1Published on 15 October 2019
Content Release 19.10.0Published on 02 October 2019
Content Release 19.9.1Published on 18 September 2019
Content Release 19.9.0Published on 03 September 2019

Additional archived release notes are available here.