Reference Docs
Find reference documentation for Integrations, Automations, Playbooks and more.
Integrations#
| Name | Description |
|---|---|
| 1Touch.io's Inventa Connector | Use the Inventa integration to generate DSAR reports within Inventa instance and retrieve DSAR data for the XSOAR |
| Abnormal Security | Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. |
| Absolute | Absolute is an adaptive endpoint security solution that delivers device security, data security, and asset management of endpoints. |
| abuse.ch SSL Blacklist Feed | The SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has seen in the past 30 days and identified as being associated with a malicious SSL certificate. |
| AbuseIPDB | Central repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration. |
| Acalvio ShadowPlex | Acalvio ShadowPlex is a comprehensive Autonomous Deception Platform that offers Advanced Threat Detection, Investigation and Response capabilities. |
| Accenture CTI | ACTI provides intelligence regarding security threats and vulnerabilities. |
| Accessdata | Use the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks. |
| ACTI Feed | Fetches indicators from a ACTI feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter). |
| ACTI Indicator Feed | Fetches indicators from a ACTI feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter). |
| ACTI Indicator Query | ACTI provides intelligence regarding security threats and vulnerabilities. |
| ACTI Vulnerability Query | ACTI provides intelligence regarding security threats and vulnerabilities. |
| Active Directory Authentication | Authenticate using Active Directory. |
| Active Directory Hygiene | This Integration runs commands on an Active Directory server |
| Active Directory Query v2 | The Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers). |
| ActiveMQ | Integration with ActiveMQ queue |
| Aella Star Light | Aella Star Light Integration |
| Agari Phishing Defense | Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business. |
| Akamai WAF | Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features. |
| Akamai WAF SIEM | Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service. |
| Alexa Rank Indicator | Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence. |
| Alexa Rank Indicator v2 | Alexa provides website ranking information that can be useful when determining if a domain has a strong web presence. |
| Alibaba Action Trail Event Collector | Alibaba logs event collector integration for XSIAM. |
| AlienVault OTX TAXII Feed | This integration fetches indicators from AlienVault OTX using a TAXII client. |
| AlienVault OTX v2 | Query Indicators of Compromise in AlienVault OTX. |
| AlienVault Reputation Feed | Use the AlienVault Reputation feed integration to fetch indicators from the feed. |
| AlienVault USM Anywhere | Searches for and monitors alarms and events from AlienVault USM Anywhere. |
| AlphaSOC Network Behavior Analytics | Retrieve alerts from the AlphaSOC Analytics Engine |
| AlphaSOC Wisdom | DNS and IP threat intelligence via the AlphaSOC platform |
| AlphaVantage | This is an API to get stock prices etc |
| Amazon DynamoDB | Amazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can create database tables that can store and retrieve any amount of data, and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation, and use the AWS Management Console to monitor resource utilization and performance metrics. DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid state disks (SSDs) and automatically replicated across multiple Availability Zones in an AWS region, providing built-in high availability and data durability. |
| AMP | Uses CISCO AMP Endpoint |
| Analyst1 | This integration utilizes Analyst1's system to enrich Demisto indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more. |
| Anomali Match | Use Anomali Match to search indicators and enrich domains. |
| Anomali ThreatStream (Deprecated) | Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats |
| Anomali ThreatStream v2 | Use Anomali ThreatStream to query and submit threats. |
| Anomali ThreatStream v3 | Use Anomali ThreatStream to query and submit threats. |
| Ansible ACME | Control Automatic Certificate Management Environment on Linux hosts |
| Ansible Alibaba Cloud | Manage Alibaba Cloud Elastic Compute Instances |
| Ansible Azure | Manage Azure resources |
| Ansible Cisco IOS | Cisco IOS Platform management over SSH |
| Ansible Cisco NXOS | Cisco NX-OS Platform management over SSH |
| Ansible DNS | Manage DNS records using NSUpdate |
| Ansible HCloud | Manage your Hetzner Cloud environment |
| Ansible Kubernetes | Manage Kubernetes |
| Ansible Microsoft Windows | Agentless Windows host management over WinRM |
| Ansible OpenSSL | Control OpenSSL on a remote Linux hosts |
| Ansible Tower | Scale IT automation, manage complex deployments, and speed productivity. |
| Ansible VMware | Manage VMware vSphere Server, Guests, and ESXi Hosts |
| ANY.RUN | ANY.RUN is a cloud-based sanbox with interactive access. |
| APIVoid | APIVoid wraps up a number of services such as ipvoid & urlvoid |
| Arcanna.AI | Arcanna integration for using the power of AI in SOC |
| ArcSight ESM v2 | ArcSight ESM SIEM by Micro Focus (Formerly HPE Software). |
| ArcSight Logger | ArcSight events logger |
| ArcusTeam | The ArcusTeam API allows the user to inspect connected devices' attack surface. By feeding device identifiers and the software it runs: DeviceTotal will return a map of the device’s attack surface. DeviceTotal was built from the ground up in order to provide complete visibility into connected devices and mitigate 3rd party risk. DeviceTotal can continuously identify & predict such that the connected device security posture is being assessed, prioritized and mitigated effectively. |
| ARIA Packet Intelligence | The ARIA Cybesecurity Solutions Software-Defined Security (SDS) platform integrates with Cortex XSOAR to add robustness when responding to incidents. The combination of ARIA hardware, in the form of a Secure Intelligent Adapter (SIA), and software, specifically Packet Intelligence and SDS orchestrator (SDSo), provides the elements required to react instantly when an incident is detected. When integrated with the ARIA solution, you can create playbooks that instruct one or more SIAs to add, modify, or delete rules automatically. These rule changes, which take effect immediately, can block conversations, redirect packets to a recorder or VLAN, or perform a variety of other actions. |
| Arkime | Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool. |
| Armis | Use the Armis integration to search alerts and devices, tag and untag devices, and set alert statuses. |
| Armorblox | Armorblox is an API-based platform that stops targeted email attacks, protects sensitive data, and automates incident response. |
| Atlassian Confluence Cloud | Atlassian Confluence Cloud allows users to interact with confluence entities like content, space, users, and groups. Users can also manage the space permissions. |
| Atlassian Confluence Server | Atlassian Confluence Server API |
| Atlassian IAM | Integrate with Atlassian's services to execute CRUD operations for employee lifecycle processes. |
| Atlassian Jira v2 | Use the Jira integration to manage issues and create Cortex XSOAR incidents from Jira projects. From Cortex XSOAR version 6.0 and above, the integration also mirrors issues to existing issue incidents in Cortex XSOAR. |
| AttackIQ Platform | An attack simulation platform that provides validations for security controls, responses, and remediation exercises. |
| Attivo Botsink | Network-based Threat Deception for Post-Compromise Threat Detection. |
| AutoFocus Daily Feed (Deprecated) | Deprecated. No available replacement. |
| AutoFocus Feed | Use the AutoFocus Feeds integration to fetch indicators from AutoFocus. |
| AutoFocus Tags Feed | Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags. |
| Automox | Administrate your IT organization from XSOAR with comprehensive commands for the Automox platform. |
| Awake Security | Network Traffic Analysis |
| AWS - AccessAnalyzer (beta) | Amazon Web Services IAM Access Analyzer |
| AWS - ACM | Amazon Web Services Certificate Manager Service (ACM) |
| AWS - CloudTrail | Amazon Web Services CloudTrail. |
| AWS - CloudWatchLogs | Amazon Web Services CloudWatch Logs (logs). |
| AWS - EC2 | Amazon Web Services Elastic Compute Cloud (EC2) |
| AWS - GuardDuty | Amazon Web Services Guard Duty Service (gd) |
| AWS - IAM (user lifecycle management) | Integrate with AWS's services to execute CRUD and Group operations for employee lifecycle processes. |
| AWS - Identity and Access Management | Amazon Web Services Identity and Access Management (IAM) |
| AWS - Lambda | Amazon Web Services Serverless Compute service (lambda) |
| AWS - Route53 | Amazon Web Services Managed Cloud DNS Service. |
| AWS - S3 | Amazon Web Services Simple Storage Service (S3) |
| AWS - Security Hub | Amazon Web Services Security Hub Service. |
| AWS - SNS | Amazon Web Services Simple Notification Service (SNS) |
| AWS - SQS | Amazon Web Services Simple Queuing Service (SQS) |
| AWS Feed | Use the AWS feed integration to fetch indicators from the feed. |
| AWS Network Firewall | AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine. |
| AWS Sagemaker | AWS Sagemaker - Demisto Phishing Email Classifier |
| AWS Simple Notification Service (AWS SNS) | Use AWS SNS to send notifications to XSOAR. |
| Axonius | This integration is for fetching information about assets in Axonius. |
| Azure Active Directory Applications | Use the Azure Active Directory Applications integration to manage authorized applications. |
| Azure Active Directory Groups | Microsoft Graph Groups enables you to create and manage different types of groups and group functionality according to your requirements. |
| Azure Active Directory Identity And Access | Use the Azure Active Directory Identity And Access integration to manage roles and members. |
| Azure Active Directory Identity Protection (Beta) | Returns information from the Azure Active Directory Identity Protection service. |
| Azure Active Directory Users | Unified gateway to security insights - all from a unified Microsoft Graph User API. |
| Azure AD Connect Health Feed | Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed. |
| Azure Compute v2 | Create and Manage Azure Virtual Machines |
| Azure Data Explorer | Use the Azure Data Explorer integration to collect and analyze data inside Azure Data Explorer clusters, and to manage search queries. |
| Azure Feed | Azure.CloudIPs Feed Integration. |
| Azure Firewall | Azure Firewall is a cloud-native and intelligent network firewall security service that provides breed threat protection for cloud workloads running in Azure. It's a fully stateful, firewall as a service, with built-in high availability and unrestricted cloud scalability. |
| Azure Key Vault | Use the Azure Key Vault integration to safeguard and manage cryptographic keys and secrets used by cloud applications and services. |
| Azure Kubernetes Services | Deploy and manage containerized applications with a fully managed Kubernetes service. |
| Azure Log Analytics | Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. |
| Azure Network Security Groups | Azure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network. |
| Azure Risky Users | Azure Risky Users provides access to all at-risk users and risk detections in the Azure AD environment. |
| Azure Security Center v2 | Unified security management and advanced threat protection across hybrid cloud workloads. |
| Azure Sentinel | Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. |
| Azure SQL Management (Beta) | Microsoft Azure SQL Management Integration manages the Auditing and Threat Policies for Azure SQL. |
| Azure Storage Container | Create and Manage Azure Storage Container services. |
| Azure Storage FileShare | Create and Manage Azure FileShare Files and Directories. |
| Azure Storage Management | Deploy and manage storage accounts and blob services. |
| Azure Storage Queue | Create and Manage Azure Storage Queues and Messages. |
| Azure Storage Table | Create and Manage Azure Storage Tables and Entities. |
| Azure Web Application Firewall | The Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities. It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies, and also to get details of a specific policy or a list of policies. |
| AzureDevOps (Beta) | Manage Git repositories in Azure DevOps Services. Integration capabilities include retrieving, creating, and updating pull requests. Run pipelines and retrieve git information. ** Note: This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve. |
| Bambenek Consulting Feed | Use the Bambenek Consulting feed integration to fetch indicators from the feed. |
| Barracuda Reputation Block List (BRBL) | This integration enables reputation checks against IPs from Barracuda Reputation Block List (BRBL) |
| Bastille Networks | RF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for details. |
| BeyondTrust Password Safe | Unified password and session management for seamless accountability and control over privileged accounts. |
| BigFix | IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. |
| BitcoinAbuse Feed | BitcoinAbuse.com is a public database of bitcoin addresses used by hackers and criminals. |
| BitDam | BitDam secure email gateway protects from advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source. |
| BitSight for Security Performance Management | Use the "BitSight for Security Performance Management" Integration to get company guid, details, and findings. This integration also allows to fetch the findings by using the fetch incidents capability. |
| Blocklist_de Feed | Use the Blocklist.de feed integration to fetch indicators from the feed. |
| Bluecat Address Manager | Use the BlueCat Address Manager integration to enrich IP addresses and manage response policies. |
| Blueliv ThreatCompass | Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe |
| Blueliv ThreatContext | The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. |
| BMC Discovery | BMC Discovery is a SaaS-based, cloud-native discovery and dependency modeling system that provides instant visibility into hardware, software, and service dependencies across multi-cloud, hybrid, and on-premises environments. |
| BMC Helix Remedyforce | BMC Helix Remedyforce integration enables customers to create/update service requests and incidents, update statuses, and resolve service requests and incidents with customer notes. This integration exposes standard ticketing capabilities that can be utilized as part of automation & orchestration. |
| BMC Remedy AR | BMC Remedy AR System is a professional development environment that leverages the recommendations of the IT Infrastructure Library (ITIL) and provides a foundation for Business Service Management (BSM) solutions. For incident management (i.e. create, fetch, update), please refer to Remedy On-Demand integration. |
| Bonusly | The Bonusly integration is used to interact with the Bonusly platform through the API. Bonusly is an employee recognition platform which enterprises use to for employee recognition. |
| Box (Deprecated) | Deprecated. Use the Box v2 integration instead. |
| Box Event Collector | Collect events from Box's logs. |
| Box v2 | Manage Box users. |
| BruteForceBlocker Feed | BruteForceBlocker is a Perl script that works with pf – firewall developed by the OpenBSD team, and is also available on FreeBSD from version 5.2. From BruteForceBlocker version 1.2 it is also possible to report blocked IP addresses to the project site and share your information with other users. |
| C2sec irisk | Understand Your Cyber Exposure as Easy as a Google Search |
| Cado Response | Automate data collection. Process data at cloud speed. Analyze with purpose. |
| Camlytics | You can use this integration to automate different Camlytics surveillance analysis actions. |
| Carbon Black Endpoint Standard v2 | Endpoint Standard is an industry-leading next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution. Endpoint Standard is delivered through the Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. |
| Carbon Black Live Response Cloud | VMware Carbon Black Endpoint Standard Live Response is a feature that enables security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, and execute and terminate processes. |
| Censys v2 | Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the internet. Driven by internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, and certificates are configured and deployed. |
| Centreon | IT & Network Monitoring |
| Centrify Vault | Leverage the Centrify Vault integration to create and manage Secrets. |
| Check Point Firewall (Deprecated) | Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API |
| CheckPhish | Check any URL to detect supsicious behavior. |
| CheckPoint Firewall v2 | Use this integration to read information and send commands to the Check Point Firewall server. |
| Cherwell | Cloud-based IT service management solution |
| Chronicle | Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise. |
| CimTrak - System Integrity Assurance | The CimTrak integration helps you detect unexpected system/device/config modifications and automatically respond/react to threats |
| CIRCL | CIRCL Passive DNS is a database storing historical DNS records from various resources. CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. |
| CircleCI | Gets the details of the CircleCI workflows; including the details of the last runs and the jobs, and retrieves the artifacts of the jobs. |
| CIRCLEHashlookup | CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included and many others are also included. The API is accessible via HTTP ReST API and the API is also described as an OpenAPI. The service is free and served as a best-effort basis. |
| Cisco ASA | Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects. |
| Cisco Email Security (beta) | Cisco Email Security is an email security gateway . It detects and blocks a wide variety of email-borne threats, such as malware, spam and phishing. |
| Cisco Email Security Appliance (IronPort) | Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing |
| Cisco Firepower | Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. |
| Cisco ISE | Next-generation secure network access. |
| Cisco Meraki | Cloud controlled WiFi, routing, and security. |
| Cisco Secure Cloud Analytics (Stealthwatch Cloud) | Protect your cloud assets and private network |
| Cisco Secure Malware Analytics Feed | Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. |
| Cisco Secure Network Analytics (Stealthwatch) | Scalable visibility and security analytics. |
| Cisco Threat Grid | Query and upload samples to Cisco threat grid. |
| Cisco Umbrella Cloud Security | Adds domains to Umbrella block list |
| Cisco Umbrella Enforcement | Add and remove domains in Cisco OpenDNS. |
| Cisco Umbrella Investigate | Cisco Umbrella Investigate |
| CiscoWSA | Cisco WSA |
| Clarizen IAM | IAM integration for Clarizen. Handles user account auto-provisioning to Clarizen. |
| Claroty | Use the Claroty CTD integration to manage assets and alerts. |
| Cloaken | Unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries. |
| CloudConvert | Use the CloudConvert integration to convert your files to the desired format. |
| Cloudflare Feed | Use the Cloudflare feed integration to fetch indicators from the feed. |
| Cloudflare WAF | Cloudflare WAF integration allows customers to manage firewall rules, filters, and IP-lists. It also allows to retrieve zones list for each account. |
| CloudShare (Beta) | Cloudshare integration. |
| CloudShark | Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system. |
| Code42 | Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments. |
| Cofense Feed | Use the Cofense Feed Integration to fetch indicators from the feed. |
| Cofense Intelligence (Deprecated) | Deprecated. Use Cofense Intelligence v2 instead. Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses. |
| Cofense Intelligence v2 | Use the Cofense Intelligence integration to check the reputation of domains, URLs, IP addresses, file hashes, and email addresses. |
| Cofense Triage (Deprecated) | Deprecated. Use the Cofense Triage v2 integration instead. |
| Cofense Triage v2 | Use the Cofense Triage integration to ingest reported phishing indicators. |
| Cofense Triage v3 | The integration uses the Cofense Triage v2 API that allows users to ingest phishing reports as incident alerts and execute commands such as threat indicators, reporters, categorize reports, and more. |
| Cognni | Autonomous detection and investigation of information security incidents and other potential threats. |
| CohesityHelios | Integrate with Cohesity Helios services to fetch alerts and take remedial action. |
| Confluera | This is the confluera Iq-Hub integration with cortex. |
| Coralogix | Fetch incidents, search for supporting data and tag interesting datapoints in/from your Coralogix account |
| Cortex Data Lake | Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. |
| Cortex XDR - IOC | Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. |
| Cortex XDR - XQL Query Engine | Cortex XDR - XQL Query Engine enables you to run XQL queries on your data sources. |
| Cortex Xpanse | The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Xpanse issues. It also leverages Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Xpanse Expander and risky flows detected by Xpanse Behavior. |
| CounterCraft Deception Director | CounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response. |
| CounterTack | CounterTack empowers endpoint security teams to assure endpoint protection for Identifying Cyber Threats. Integrating a predictive endpoint protection platform |
| Covalence For Security Providers | Triggers by any alert from endpoint, cloud, and network security monitoring, with mitigation steps where applicable. Query Covalence for more detail. |
| Covalence Managed Security | Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. |
| Create Test Incidents | CreateIncidents fetches custom incidents that are created manually. |
| CrowdStrike Falcon | The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment. |
| CrowdStrike Falcon Intel (Deprecated) | Deprecated. Use CrowdStrike Falcon Intel v2 integration instead. |
| CrowdStrike Falcon Intel Feed Actors | The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more. This integration retrieves indicators from the CrowdStrike Falcon Intel Feed. |
| CrowdStrike Falcon Intel v2 | CrowdStrike Threat intelligence service integration helps organizations defend themselves against adversary activity by investigating incidents, and accelerating alert triage and response. |
| CrowdStrike Falcon Sandbox (Deprecated) | Deprecated. Use CrowdStrike Falcon Sandbox V2 instead. |
| CrowdStrike Falcon Sandbox v2 | Fully automated malware analysis (Hybrid Analysis). |
| CrowdStrike Falcon Streaming v2 | Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events. |
| CrowdStrike Falcon X | Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports. |
| CrowdStrike Indicator Feed | Retrieves indicators from the CrowdStrike Falcon Intel Feed. |
| CrowdStrike Malquery | Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine. |
| CrowdStrike OpenAPI (Beta) | Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc. |
| Cryptocurrency | Cryptocurrency will help classify Cryptocurrency indicators with the configured score when ingested. |
| Cryptosim | CRYPTOSIM gets correlations and correlation's alerts. Integration fetchs alerts to incident according to instance. |
| CSV Feed | Fetch indicators from a CSV feed. |
| CTIX v3 | This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. |
| Cuckoo Sandbox | Malware dynamic analysis sandboxing |
| CustomIndicatorDemo | This is a demo integration that demonstrates the usage of the CustomIndicator helper class. |
| CVE Search v2 | Searches for CVE information using circl.lu. |
| Cyber Triage | Allows you to conduct a mini-forensic investigation on an endpoint. It pushes a collection tool to the remote endpoint, collects volatile and file system data, and analyzes the data. |
| CyberArk AIM (Deprecated) | Deprecated. Use the CyberArk AIM v2 integration instead. |
| CyberArk AIM v2 | The CyberArk Application Identity Manager (AIM) provides a secure safe in which to store your account credentials. Use this integration to retrieve the account credentials in CyberArk AIM. |
| CyberArk Identity Event Collector | This integration collects events from the Idaptive Next-Gen Access (INGA) using REST APIs. |
| CyberArk PAS | Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR. |
| CyberChef | CyberChef is a web-application developed by GCHQ that's been called the “Cyber Swiss Army Knife”. |
| Cybereason | Endpoint detection and response to manage and query malops, connections and processes. |
| Cyberint | Cyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture. |
| Cyberpion | The Cyberpion integration allows you to seamlessly receive all your Cyberpion security solution Action Items and supportive information to your Cortex XSOAR. |
| Cybersixgill Actionable Alerts | Cybersixgill automatically collects intelligence in real-time on all items that appear in the underground sources which we monitor. By using various rules and machine learning models, Cybersixgill automatically correlates these intelligence items with pre defined organization assets, and automatically alerts users in real time of any relevant intelligence items. |
| Cybersixgill DVE Enrichment | By enriching CVEs with the DVE Score, Cortex XSOAR customers gain deeper visibility with relevant threat intel from the deep and dark web with dynamic attributes such as where they are trending, POC exploit details, and more. Loaded with extra-context, this allows users to accurately understand the real impact of CVEs to effectively prioritize critical vulnerabilities. |
| Cybersixgill DVE Feed Threat Intelligence (Deprecated) | Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get CVE Feed straight into the XSOAR platform. |
| Cybersixgill DVE Feed Threat Intelligence v2 | The Cybersixgill Dynamic Vulnerability Exploit (DVE) Score is based on the most comprehensive collection of vulnerability-related threat intelligence and is the only solution that provides users total context and predicts the immediate risks of a vulnerability based on threat actors’ intent. Cortex XSOAR users can track threats stemming from CVEs that most others define as irrelevant and have a higher probability of being exploited via their Cortex XSOAR dashboard. |
| CyberTotal | CyberTotal is a cloud-based threat intelligence service developed by CyCraft. |
| Cyble Events | Cyble Events for Vision Users. Must have Vision API access to use the threat intelligence. |
| Cyble Threat Intel | Cyble Threat Intelligence for Vision Users. Must have access to Vision Taxii feed to access the threat intelligence. |
| Cyjax Feed | The feed allows customers to pull indicators of compromise from cyber incidents (IP addresses, URLs, domains, CVE and file hashes) |
| Cylance Protect v2 | Manage Endpoints using Cylance protect |
| Cymptom | Cymptom is a Breach and Attack Simulation solution that revolutionizes the existing approach by transforming attack simulation into a data analysis question. Cymptom agentless scanning brings real-time always-on visibility into the entire security posture. |
| Cymulate | Multi-Vector Cyber Attack, Breach and Attack Simulation |
| Cymulate v2 | Multi-Vector Cyber Attack, Breach and Attack Simulation. |
| Cyren Inbox Security | Cyren Inbox Security is an innovative solution that safeguards Office 365 mailboxes in your organization against evasive phishing, business email compromise (BEC), and fraud. This integration imports incidents from Cyren Inbox Security into XSOAR, and includes a playbook for incident resolution. |
| Cyren Threat InDepth Threat Intelligence Feed | Threat InDepth's actionable and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats faster than other security vendors. |
| Cyware Threat Intelligence eXchange | This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data. |
| Darktrace | Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate. |
| DB2 | Integration to provide connectivity to IBM DB2 using the python ibm_db2 library. |
| Deep Instinct | The Deep Learning cybersecurity platform, for zero time prevention. |
| DeepInstinct v3 | Deep Instinct is a prevention-first approach to stopping ransomware and other malware using the world's first purpose-built, deep learning cybersecurity framework. |
| DeepL | This integration uses DeepL (https://www.deepl.com/) to translate text or files |
| DeHashed | This integration allows you to check if your personal information such as your email, username, or password is being compromised. |
| Dell Secureworks | Provides access to the Secureworks CTP ticketing system |
| Demisto Lock | Locking mechanism that prevents concurrent execution of different tasks |
| Demisto REST API | Use Demisto REST APIs |
| Devo (Deprecated) | Deprecated. Use the Devo v2 integration instead. |
| Devo v2 | Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables. |
| DHS Feed | The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. |
| Digital Defense FrontlineVM | Use the Digital Defense FrontlineVM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations. |
| Digital Guardian | Use Digital Guardian Integration to fetch incidents and to programmatically add or remove entries from watchlists and component lists. |
| Digital Shadows | Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web. |
| DNSOverHttps | Query dns names over https from Cloudflare or Google |
| dnstwist | Use the DNSTwist integration to detect typosquatting, phishing, and corporate espionage. |
| Docker Engine API | The Engine API is an HTTP API served by Docker Engine. It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API. |
| DomainTools | Domain name, DNS and Internet OSINT-based cyber threat intelligence and cybercrime forensics products and data |
| DomainTools Iris | A threat intelligence and investigation platform for domain names, IP addresses, email addresses, name servers and so on. |
| Dragos Worldview | Custom integration designed to pull in reports from the Dragos Worldview API as incidents |
| Dropbox Event Collector | Collect events from Dropbox's logs. |
| Druva Ransomware Response | Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications and data center workloads for Druva Ransomware Recovery customers. |
| DShield Feed | This integration fetches a list that summarizes the top 20 attacking class C (/24) subnets over the last three days from Dshield. |
| Duo | DUO authentication service. |
| Duo Event Collector | Collects Auth and Audit events for Duo using the API. |
| EasyVista | EasyVista Service Manager manages the entire process of designing, managing and delivering IT services. |
| EclecticIQ Platform | Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships. |
| Edgescan | Cloud-based continuous vulnerability management and penetration testing solution. |
| Elasticsearch Feed | Fetches indicators stored in an Elasticsearch database. |
| Elasticsearch v2 | Search for and analyze data in real time. Supports version 6 and later. |
| EmailRep.io | Provides email address reputation and reports. |
| Endace | The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows. |
| Envoy IAM | Integrate with Envoy Identity Access Management services to execute CRUD operations to employee lifecycle processes. |
| EWS Extension Online Powershell v2 | Use the EWS Extension Online Powershell v2 integration to get information about mailboxes and users in your organization. This integration can also retrieve and modify Tenant Allow/Block Lists. |
| EWS Mail Sender | Exchange Web Services mail sender. Note: this integration supports Office 365 basic authentication only. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication (oauth2). |
| EWS O365 | The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail). |
| EWS v2 | Exchange Web Services and Office 365 (mail) |
| Exabeam | The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR. |
| ExceedLMS IAM | Integrate with Exceed LMS Identity Access Management services to execute CRUD operations to employee lifecycle processes. |
| Exchange 2016 Compliance Search | Exchange Server 2016 Compliance Search enables you to search for and delete an email message from all mailboxes in your organization. |
| Expanse (Deprecated) | Deprecated. Use the Expanse v2 integration instead. The Expanse App for Demisto leverages the Expander API to retrieve network exposures and risky flows to create incidents in Demisto. This application also allows for IP, Domain, Certificate, Behavior, and Exposure enrichment, retrieving assets and exposures information drawn from Expanse’s unparalleled view of the Internet. |
| Expanse Expander Feed | Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database. |
| Export Indicators Service (Deprecated) | Deprecated. Use the Generic Export Indicators Service integration instead. Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. |
| ExtraHop Reveal(x) v2 | Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response. |
| F5 Application Security Manager (WAF) | Manages F5 firewall |
| F5 firewall | Manages F5 firewall rules |
| F5 LTM | Manages F5 LTM |
| F5 Silverline | F5 Silverline Threat Intelligence is a cloud-based service incorporating external IP reputation and reducing threat-based communications. By identifying IP addresses and security categories associated with malicious activity, this managed service integrates dynamic lists of threatening IP addresses with the Silverline cloud-based platform, adding context-based security to policy decisions. |
| FalconHost (Deprecated) | Deprecated. Use the CrowdStrike Falcon integration instead. |
| Farsight DNSDB | Query Farsight DNSDB service |
| Farsight DNSDB v2 | Farsight Security DNSDB DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts. |
| Fastly Feed | Use Fastly Feed to get assigned CIDRs and add them to your firewall's allowlist in order to enable using Fastly's services. |
| Feodo Tracker IP Blocklist Feed | Gets a list of bad IPs from Feodo Tracker. |
| Fidelis EDR | Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac and Linux OSes for faster threat remediation. |
| Fidelis Elevate Network | Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration. |
| FileOrbis | Manage FileOrbis operations. |
| FireEye (AX Series) | Perform malware dynamic analysis |
| FireEye Central Management | FireEye Central Management (CM Series) is the FireEye threat intelligence hub. It services the FireEye ecosystem, ensuring that FireEye products share the latest intelligence and correlate across attack vectors to detect and prevent cyber attacks |
| FireEye Detection on Demand | FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications, etc. It delivers flexible file and content analysis to identify malicious behavior wherever the enterprise needs it. |
| FireEye Email Security | FireEye Email Security (EX) series protects against breaches caused by advanced email attacks. |
| FireEye Endpoint Security (HX) v2 | FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook. |
| FireEye ETP | FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks. |
| FireEye Feed | FireEye Intelligence Feed Integration. |
| FireEye Helix | FireEye Helix is a security operations platform. FireEye Helix integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting. |
| FireEye HX | FireEye Endpoint Security is an integrated solution that detects what others miss and protects endpoint against known and unknown threats. The HX Demisto integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. Customers can extract critical data and effectively operate security operations automated playbook |
| FireEye NX | FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic. |
| Flashpoint | Use the Flashpoint integration to reduce business risk. Flashpoint allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more. |
| Flashpoint Feed | Flashpoint Feed Integration allows importing indicators of compromise that occur in the context of an event on the Flashpoint platform which contains finished intelligence reports data, data from illicit forums, marketplaces, chat services, blogs, paste sites, technical data, card shops, and vulnerabilities. The indicators of compromise are ingested as indicators on the Cortex XSOAR and displayed in the War Room using a command. |
| Forcepoint | Advanced threat protection with added local management controls. |
| Forescout CounterACT | Unified device visibility and control platform for IT and OT Security. |
| Forescout EyeInspect | Delivers flexible and scalable OT/ICS asset visibility. |
| FortiAuthenticator | This integration allows you to manage the user configuration on FortiAuthenticator. |
| FortiGate | Manage FortiGate Firewall |
| FortiManager | FortiManager is a single console central management system that manages Fortinet devices. |
| FortiSandbox | FortiSandbox integration is used to submit files to FortiSandbox for malware analysis and retrieving the report of the analysis. It can also provide file rating based on hashes for already scanned files. |
| FortiSIEM | Search and update events of FortiSIEM and manage resource lists. |
| FortiSIEM v2 | Use FortiSIEM v2 to fetch and update incidents, search events and manage watchlists of FortiSIEM. |
| FraudWatch | Manage incidents via the Fraudwatch API. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management & monitoring, as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse. |
| Freshdesk | The Freshdesk integration allows you to create, update, and delete tickets; reply to and create notes for tickets as well as view Groups, Agents and Contacts. |
| G Suite Admin | G Suite or Google Workspace Admin is an integration to perform an action on IT infrastructure, create users, update settings, and more administrative tasks. |
| G Suite Auditor | G Suite Auditor is an integration that receives Audit logs from G Suite's different applications - admin, drive, calender, and more. |
| G Suite Security Alert Center | G Suite Security Alert Center allows users to fetch different alert types such as Suspicious login, Device compromised, Leaked password, and more. Users can delete or recover a single alert or a batch of alerts and retrieve the alert's metadata. This integration allows users to provide feedback for alerts and fetch existing feedback for a particular alert. |
| Gamma | Query and update violations in Gamma |
| GCP Whitelist Feed (Deprecated) | Deprecated. Use the Google IP Ranges Feed integration instead. |
| GCP-IAM | Manage identity and access control for Google Cloud Platform resources. |
| Generic Export Indicators Service | Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. |
| Generic SQL | Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle. |
| Generic Webhook | The Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration. |
| Genians | Use the Genian NAC integration to block IP addresses using the assign tag. |
| GitHub | Integration to GitHub API |
| Github Event Collector | Github logs event collector integration for XSIAM. |
| GitHub IAM | Integrate with GitHub services to perform Identity Lifecycle Management operations. |
| GitLab | An integration with GitLab. |
| GitLab Event Collector | |
| GLPI | GLPI open source ITSM solution |
| Gmail | Gmail API and user management (This integration replaces the Gmail functionality in the GoogleApps API and G Suite integration). |
| Gmail Single User | Gmail API using OAuth 2.0. |
| Google BigQuery | Integration for Google BigQuery, a data warehouse for querying and analyzing large databases. In all commands, for any argument not specified, the BigQuery default value for that argument will be applied. |
| Google Calendar | Google Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list (ACL). |
| Google Cloud Compute | Google Compute Engine delivers virtual machines running in Google's innovative data centers and worldwide fiber network. Compute Engine's tooling and workflow support enable scaling from single instances to global, load-balanced cloud computing. |
| Google Cloud Functions | Google Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers. |
| Google Cloud Pub/Sub | Google Cloud Pub/Sub is a fully-managed real-time messaging service that enables you to send and receive messages between independent applications. |
| Google Cloud SCC | Security Command Center is a security and risk management platform for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory and discovery, identifying vulnerabilities and threats, and helping you mitigate and remediate risks across an organization. This integration helps you to perform tasks related to findings and assets. |
| Google Cloud Storage | Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. |
| Google Cloud Translate | A Google API cloud based translation service. |
| Google Docs | Use the Google Docs integration to create and modify Google Docs documents. |
| Google Drive | Google Drive allows users to store files on their servers, synchronize files across devices, and share files. This integration helps you to create a new drive, query past activity, and view change logs performed by the users. |
| Google IP Ranges Feed | Use the Google IP Ranges integration to get GCP and Google global IP ranges. |
| Google Key Management Service | Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality. |
| Google Kubernetes Engine | The Google Kubernetes Engine integration is used for building and managing container based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology. |
| Google Maps | Use the Google Maps API. |
| Google Resource Manager | Google Cloud Platform Resource Manager |
| Google Safe Browsing (Deprecated) | Deprecated. Use Google Safe Browsing v2 instead. |
| Google Safe Browsing v2 | Search Safe Browsing, The Safe Browsing APIs (v4) let your client applications check URLs against Google's constantly updated lists of unsafe web resources. |
| Google Sheets | Google Sheets is a spreadsheet program that is part of the free web-based Google applications to create and format spreadsheets. Use this integration to create and modify spreadsheets. |
| Google Vault | Archiving and eDiscovery for G Suite. |
| Google Vision AI | Image processing with Google Vision API |
| GoogleApps API and G Suite | Send messages and notifications to your Mattermost Team. |
| Gophish | Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. For Free |
| Grafana | Grafana alerting service. |
| GraphQL | The Generic GraphQL client can interact with any GraphQL server API. |
| Graylog | Integration with Graylog to search for logs and events |
| GreatHorn | The only cloud-native security platform that stops targeted social engineering and phishing attacks on cloud email platforms like Office 365 and G Suite. |
| GreyNoise | GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. |
| GreyNoise Community | GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This Integration is design specifically for GreyNoise Community users and only provides the subset of intel available via the GreyNoise Community API. |
| Group-IB THF Polygon | THF Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. THF Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators). |
| Group-IB Threat Intelligence & Attribution | Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware. |
| Group-IB Threat Intelligence & Attribution Feed | Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. |
| GRR | Use GRR Rapid Response framework |
| GuardiCore | Data center breach detection |
| GuardiCore v2 | GuardiCore v2 Integration enables you to get information about incidents and endpoints (assets) via the GuardiCore API. |
| Gurucul-GRA | Gurucul Risk Analytics (GRA) is a Unified Security and Risk Analytics platform. |
| HackerOne | HackerOne integration allows users to fetch reports by using the fetch incidents capability. It also provides commands to retrieve all the reports and programs. |
| Hackuity | From a war-room, query your Hackuity cockpit in order to seamlessly retrieve information related to your vulnerability stock. |
| HarfangLab EDR | HarfangLab EDR Connector, Compatible version 2.13.7+ |
| HashiCorp Vault | Manage Secrets and Protect Sensitive Data through HashiCorp Vault |
| Have I Been Pwned? v2 | Uses the Have I Been Pwned? service to check whether email addresses, domains, or usernames were compromised in previous breaches. |
| HelloWorld | This is the Hello World integration for getting started. |
| HelloWorld Feed | This is the Feed Hello World integration for getting started with your feed integration. |
| HelloWorldPremium | This is the Hello World Premium integration for getting started |
| HostIo | Use the HostIo integration to enrich domains using the Host.io API. |
| HPE Aruba ClearPass | Aruba ClearPass Policy Manager provides role and device-based network access control for employees, contractors, and guests across any multi-vendor wired, wireless, and VPN infrastructure. |
| Humio | Integration with Humio |
| HYAS Insight | Use the HYAS Insight integration to interactively lookup PassiveDNS, DynamicDNS, WHOIS, Malware and C2 Attribution Information – either as playbook tasks or through API calls in the War Room. |
| HYAS Protect | Use the HYAS Protect integration to get the verdict information for FQDN, IP Address and NameServer – either as playbook tasks or through API calls in the War Room. |
| Hybrid Analysis | Fully automated malware analysis with unique Hybrid Analysis. |
| IBM QRadar (Deprecated) | Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead. |
| IBM QRadar v2 (Deprecated) | Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSOAR. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields. |
| IBM QRadar v3 | IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. |
| IBM Resilient Systems | Case management that enables visibility across your tools for continual IR improvement. |
| IBM X-Force Exchange v2 | IBM X-Force Exchange lets you receive threat intelligence about applications, IP addresses, URls and hashes |
| Icebrg | Reduces risk by accelerating threat detection, triage, and response to rapidly-evolving breaches across global networks. |
| iDefense (Deprecated) | Deprecated. Use the iDefense v2 integration instead. |
| iLert | Alert and notify users using iLert |
| illuminate (Deprecated) | Deprecated. Use Analyst1 integration instead. |
| IllusiveNetworks | The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more. |
| Image OCR | Extracts text from images. |
| Imperva WAF | Use the Imperva WAF integration to manage IP groups and web security policies in Imperva WAF. |
| Indeni | Indeni is a turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes. |
| Indicators detection | The Cortex Core - IOCs integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks. |
| Infinipoint | Use the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities or incidents. Investigate and respond to events in real-time. |
| InfoArmor VigilanteATI | VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team. |
| Infoblox | Infoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. It defines RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses. |
| Infocyte | Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access. |
| Intel471 Actors Feed (Deprecated) | Deprecated. To be replaced by use case centric functionality. No available replacement. |
| Intel471 Malware Feed (Deprecated) | Deprecated. Use Intel471 Malware Indicator Feed instead. |
| Intel471 Malware Indicator Feed | "Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing." |
| Intel471 Watcher Alerts | 'Intel 471's watcher alerts provide a mechanism by which customers can be notified in a timely manner of Titan content that is most relevant to them.' |
| Intezer v2 | Malware detection and analysis based on code reuse |
| IntSights | Use IntSights to manage and mitigate threats. |
| Investigation & Response | The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks. |
| IP-API | This integration will enrich IP addresses from IP-API with data about the geolocation, as well as a determination of the IP address being associated with a mobile device, hosting or proxy. Revers DNS is also returned. This service is available for free (with a throttle) - or paid. |
| ipinfo (Deprecated) | Deprecated. Use IPinfo v2 instead. Use the ipinfo.io API to get data about an IP address |
| IPinfo v2 | Use the IPinfo.io API to get data about an IP address. |
| IPQualityScore | Proactively Prevent Fraud |
| ipstack | One of the leading IP to geolocation APIs and global IP database services. |
| IronDefense | The IronDefense Integration for Cortex XSOAR allows users to interact with IronDefense alerts within Cortex XSOAR. The Integration provides the ability to rate alerts, update alert statuses, add comments to alerts, to report observed bad activity, get alerts, get events, and get IronDome information. |
| Ironscales | IRONSCALES, a self-learning email security platform integration |
| Ivanti Heat | Use the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat. |
| Ja3er | Query the ja3er API for MD5 hashes of JA3 fingerprints. |
| JAMF v2 | Enterprise Mobility Management (EMM) for Apple devices (Mac, iPhone, Apple TV, iPad). Can be used to control various configurations via different policies, install and uninstall applications, lock devices, smart groups searches, and more. |
| JARM | Active TLS fingerprinting using JARM |
| Jask (Deprecated) | Deprecated. Use Sumo Logic Cloud SIEM instead. Freeing the analyst with autonomous decisions. |
| Jira Event Collector | Jira logs event collector integration for Cortex XSIAM. |
| Joe Security | Sandbox Cloud |
| JSON Feed | Fetches indicators from a JSON feed. |
| JSON Sample Incident Generator | A utility for testing incident fetching with mock JSON data. |
| JsonWhoIs | Provides data enrichment for domains and IP addresses. |
| JWT | JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. This Integration can be used to Generate New JWT Tokens, Encode and Decode Existing Ones. |
| Kafka v2 (Deprecated) | Deprecated. Use the Kafka v3 integration instead. The Open source distributed streaming platform. |
| Kafka v3 | Kafka is an open source distributed streaming platform. |
| Kaspersky Security Center (Beta) | Manages endpoints and groups through the Kaspersky Security Center. |
| Kenna v2 | Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes. |
| Lacework | Lacework provides end-to-end cloud security automation for AWS, Azure, and GCP with a comprehensive view of risks across cloud workloads and containers. |
| Lansweeper | The Lansweeper integration allows users to retrieve the asset details. |
| Lastline v2 | Use the Lastline v2 integration to provide threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior. |
| LGTM | An Integration with LGTM API |
| LINENotify | LINE API Integration is used for sending a message to LINE Group. |
| Linkshadow | Fetch Network Anomalies data from LinkShadow and execute the remediation Actions. |
| Linux | Agentlesss Linux host management over SSH |
| Lockpath KeyLight v2 | Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform. |
| LogPoint SIEM Integration | Use this Content Pack to search logs, fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time. |
| LogRhythm (Deprecated) | Deprecated. Use the LogRhythmRest v2 integration instead. |
| LogRhythmRest | LogRhythm security intelligence. |
| LogRhythmRest v2 | LogRhythm security intelligence. |
| LogsignSiem | Logsign SIEM provides to collect and store unlimited data, investigate and detect threats, and respond automatically. |
| Logz.io | Fetch & remediate security incidents identified by Logz.io Cloud SIEM |
| Looker | Use the Looker integration to query an explore, save queries as looks, run looks, and fetch look results as incidents. |
| Luminar IOCs & leaked credentials | This connector allows integration of intelligence-based IOC data and customer-related leaked records identified by Luminar. |
| MAC Vendors | Query MAC Vendors for vendor names when providing a MAC address. MAC Vendors maintains a list of vendors provided directly from the IEEE Standards Association and is updated multiple times each day. The IEEE is the registration authority and provides data on over 16,500 registered vendors. |
| Mail Listener v2 | Listens to a mailbox and enables incident triggering via e-mail. |
| Mail Sender (New) | Send emails implemented in Python with embedded image support |
| Majestic Million Feed | Free search and download of the top million websites. |
| Maltiverse | Use the Maltiverse integration to analyze suspicious hashes, URLs, domains and IP addresses. |
| MalwareBazaar | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers. |
| MalwareBazaar Feed | Use the MalwareBazaar Feed integration to get the list of malware samples added to MalwareBazaar within the last 60 minutes. |
| Malwarebytes | Scan and Remediate threats on endpoints in the Malwarebytes cloud. |
| Malwation AIMA | Malwation AIMA malware analysis sandboxing. |
| ManageEngine PAM360 | Integration to fetch passwords from the PAM360 repository, and to manage accounts, resources, and privileged credentials. |
| Mandiant Advantage Feed | Retrieves indicators from the Mandiant Advantage Feed. |
| Mandiant Automated Defense (Formerly Respond Software) | Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within XSOAR are reflected in Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled. |
| Mattermost | Send messages and notifications to your Mattermost Team. |
| MaxMind GeoIP2 | Enriches IP addresses |
| McAfee Active Response | Connect to MAR using its DXL client |
| McAfee Advanced Threat Defense | Integrated advanced threat detection: Enhancing protection from network edge to endpoint |
| McAfee DAM | McAfee Database Activity Monitoring |
| McAfee DXL | McAfee DXL client |
| McAfee ePO (Deprecated) | Deprecated. Use McAfee ePO v2 instead. |
| McAfee ePO v2 | McAfee ePolicy Orchestrator |
| McAfee ESM v10 and v11 (Deprecated) | Deprecated. Use the McAfee ESM v2 integration instead. |
| McAfee ESM v2 | This integration runs queries and receives alarms from McAfee Enterprise Security Manager (ESM). Supports version 10 and above. |
| McAfee NSM | McAfee Network Security Manager |
| McAfee Threat Intelligence Exchange | Connect to McAfee TIE using the McAfee DXL client. |
| Micro Focus Service Manager | Service Manager By Micro Focus (Formerly HPE Software). |
| MicroFocus SMAX | Fetch SMAX cases and automate differen SMAX case management actions |
| Microsoft 365 Defender | Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |
| Microsoft 365 Defender Event Collector | Microsoft 365 Defender Event Collector integration. |
| Microsoft Advanced Threat Analytics | Use Microsoft Advanced Threat Analytics integration to manage suspicious activities, monitoring alerts and entities. |
| Microsoft Cloud App Security | Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts. |
| Microsoft Defender for Cloud Apps Event Collector | Collects the events log for alerts and activities provided Microsoft Defender for Cloud Apps API. |
| Microsoft Defender for Endpoint | Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. |
| Microsoft Endpoint Configuration Manager | The Microsoft Endpoint Configuration Manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM). |
| Microsoft Endpoint Manager (Intune) | Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management. |
| Microsoft Graph API | Use the Microsoft Graph API integration to interact with Microsoft APIs that do not have dedicated integrations in Cortex XSOAR, for example, Mail Single-User, etc. |
| Microsoft Graph Security | Unified gateway to security insights - all from a unified Microsoft Graph Security API. |
| Microsoft Intune Feed | Use the Microsoft Intune Feed integration to get indicators from the feed. |
| Microsoft Management Activity API (O365 Azure Events) | The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content, and fetch new content as incidents. |
| Microsoft Policy And Compliance (Audit Log) | Use the integration to get logs from the O365 service. |
| Microsoft Teams | Send messages and notifications to your team members. |
| Microsoft Teams Management | Manage teams and members in Microsoft Teams. |
| Mimecast v2 | Mimecast unified email management offers cloud email services for email security, continuity and archiving emails. Please read detailed instructions in order to understand how to set the integration's parameters. |
| Minerva Labs Anti-Evasion Platform | Minerva eliminates the endpoint security gap while empowering companies to embrace technology fearlessly. |
| MinIO | An Integration with MinIO Object Storage |
| MISP Feed | Indicators feed from MISP |
| MISP v2 (Deprecated) | Deprecated. Use the MISP v3 integration instead. |
| MISP v3 | Malware information sharing platform and threat sharing. |
| MITRE ATT&CK Feed (Deprecated) | Deprecated. Use MITRE ATT&CK Feed v2 instead. |
| MITRE ATT&CK Feed v2 | Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) content. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. |
| mnemonic MDR - Argus Managed Defence | Rapidly detect, analyse and respond to security threats with mnemonic’s leading Managed Detection and Response (MDR) service. |
| MobileIronCLOUD | MobileIron Cloud Integration |
| MobileIronCORE | MobileIron CORE Integration |
| Moloch (Deprecated) | Deprecated. Use Arkime instead. |
| MongoDB | Use the MongoDB integration to search and query entries in your MongoDB. |
| MongoDB Key Value Store | Manipulates key/value pairs according to an incident utilizing the MongoDB collection. |
| MongoDB Log | Writes log data to a MongoDB collection. |
| MS-ISAC | This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform |
| National Vulnerability Database | CVE feed from the National Vulnerability Database |
| Ncurion | This is the Ncurion integration for getting started. |
| Netcraft | An integration for Netcraft, allowing you to open and handle takedown requests. |
| Netscout Arbor Edge Defense | Use the Netscout Arbor Edge Defense integration to detect and stop both inbound threats and outbound malicious communication from compromised internal devices. |
| Netscout Arbor Sightline (Peakflow) | DDoS protection and network visibility. |
| Netskope (API v1) | Get alerts and events, manage quarantine files as well as URL and hash lists using Netskope API v1. |
| Netskope (API v2) | Block URLs, domains and file hashes. |
| Netskope (Deprecated) | Cloud access security broker that enables to find, understand, and secure cloud apps. Deprecated. Use Netskope (API v1) instead. |
| Nexthink | Nexthink helps IT teams deliver on the promise of the modern digital workplace. Nexthink is the only solution to provide enterprises with a way to visualize, act and engage across the entire IT ecosystem to lower IT cost and improve digital employee experience. |
| nmap | Run nmap scans with the given parameters |
| Nozomi Networks | The Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alerts and assets information from Nozomi. |
| NTT Cyber Threat Sensor | Retrieve alerts and recommendations from NTT CTS |
| NucleonCyberFeed | This is the NucleonCyber Feed integration |
| Nutanix Hypervisor | Nutanix Hypervisor abstracts and isolates the VMs and their programs from the underlying server hardware, enabling a more efficient use of physical resources, simpler maintenance and operations, and reduced costs. |
| O365 - EWS - Extension | This integration enables you to manage and interact with Microsoft O365 - Exchange Online from within XSOAR. |
| O365 - Security And Compliance - Content Search | This integration allows you to manage and interact with Microsoft security and compliance content search. |
| O365 Defender SafeLinks | Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. |
| O365 Defender SafeLinks - Single User | Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations. |
| O365 File Management (Onedrive/Sharepoint/Teams) | Use the O365 File Management (Onedrive/Sharepoint/Teams) integration to enable your app to get authorized access to files in OneDrive, SharePoint, and MS Teams across your entire organization. This integration requires admin consent. |
| O365 Outlook Calendar | O365 Outlook Calendar enables you to create and manage different calendars and events according to your requirements. |
| O365 Outlook Mail (Using Graph API) | Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account. |
| O365 Outlook Mail Single User (Using Graph API) | Microsoft Graph grants Cortex XSOAR authorized access to a user's Microsoft Outlook mail data in a personal account or organization account. |
| Office 365 Feed | The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (allow list, block list, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules. |
| okta (Deprecated) | Deprecated. Use the Okta v2 integration instead. |
| Okta Event Collector | Collects the events log for authentication and Audit provided by Okta admin API. |
| Okta IAM | Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes. |
| Okta v2 | Integration with Okta's cloud-based identity management service. |
| OpenCTI | Manages indicators from OpenCTI. Compatible with OpenCTI 4.X API version. |
| OpenCTI Feed 3.X | Ingest indicators from the OpenCTI feed. Compatible with OpenCTI 3.X API version. |
| OpenCTI Feed 4.X | Ingest indicators from the OpenCTI feed. Compatible with OpenCTI 4.X API version. |
| OpenLDAP | Authenticate using OpenLDAP. |
| OpenPhish v2 | OpenPhish uses proprietary Artificial Intelligence algorithms to automatically identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence. |
| OPNSense | Manage OPNsense Firewall. For more information see OPNsense documentation. OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. |
| OpsGenie (Deprecated) | Deprecated. Use the OpsGenie v3 integration instead |
| Opsgenie v2 | Integration with Atlassian OpsGenie V2 |
| OpsGenie v3 | Integration with Atlassian OpsGenie. OpsGenie is a cloud-based service that enables operations teams to manage alerts generated by monitoring tools to ensure the right people are notified, and the problems are addressed in a timely manner. |
| Oracle IAM | Integrate with Oracle's services to execute CRUD and Group operations for employee lifecycle processes. |
| Orca | Agentless, Workload-Deep, Context-Aware Security and Compliance for AWS, Azure, and GCP. |
| OSV | OSV (Open Source Vulnerability) is a vulnerability database for open source projects. For each vulnerability, it perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges |
| OTRS | Service management suite that comprises ticketing, workflow automation, and notification. |
| Packetsled | Packetsled Network Security API commands |
| PagerDuty v2 | Alert and notify users using PagerDuty |
| Palo Alto AutoFocus (Deprecated) | Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks. |
| Palo Alto Networks - Prisma Cloud Compute | Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment. |
| Palo Alto Networks AutoFocus v2 | Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks. |
| Palo Alto Networks Automatic SLR | Allow XSOAR to automatically generate Security Lifecycle Review's (SLR's) |
| Palo Alto Networks BPA | Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices. |
| Palo Alto Networks Cortex (Deprecated) | Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products |
| Palo Alto Networks Cortex XDR - Investigation and Response | Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. |
| Palo Alto Networks Enterprise DLP | Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity. |
| Palo Alto Networks IoT | This is the Palo Alto Networks IoT integration (previously Zingbox). |
| Palo Alto Networks IoT 3rd Party | Base Integration for Palo Alto IoT third party integrations. This integration communicates with Palo Alto IoT Cloud to get alerts, vulnerabilities and devices. |
| Palo Alto Networks MineMeld (Deprecated) | Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence. |
| Palo Alto Networks PAN-OS | Manage Palo Alto Networks Firewall and Panorama. For more information see Panorama documentation. |
| Palo Alto Networks PAN-OS EDL Management (Deprecated) | Deprecated. Use the Generic Export Indicators Service integration instead. This integration is still supported however, for customers with over 1000 Firewalls. |
| Palo Alto Networks Security Advisories (Beta) | Queries the public repository of PAN-OS CVEs. |
| Palo Alto Networks Threat Vault (Deprecated) | Deprecated. No available replacement. |
| Palo Alto Networks Traps (Deprecated) | Deprecated. Use CortexXDR instead. |
| Palo Alto Networks WildFire Reports | Generates a Palo Alto Networks WildFire PDF report. For internal use with the TIM Sample Analysis feature. |
| Palo Alto Networks WildFire v2 | Perform malware dynamic analysis |
| PAN-OS Policy Optimizer | Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama. |
| PassiveTotal v2 | Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis. |
| Penfield | The penfield-get-assignee command takes in necessary context data, and returns the analyst that Penfield believes the incident should be assigned to based on Penfield's models of skill and process. The test command verfies that the endpoint is reachable. |
| Pentera | Automate remediation actions based on Pentera, the Automated Security Validation Platform, proactively exposing high-risk vulnerabilities |
| PerceptionPoint | Loads incidents from Perception Point and releases falsely quarantined emails. |
| Perch | Perch is a co-managed threat detection and response platform. |
| Phish.AI (Deprecated) | Deprecated. Vendor has declared end of life for this integration. No available replacement. |
| PhishER | KnowBE4 PhishER integration allows to pull events from PhishER system and do mutations |
| PhishLabs IOC | Get indicators of compromise from PhishLabs. |
| PhishLabs IOC DRP | Retrieves Digital Risk cases Protection from PhishLabs. |
| PhishLabs IOC EIR | Get Email Incident Reports from PhishLabs |
| PhishTank v2 | PhishTank is a free community site where anyone can submit, verify, track, and share phishing data. |
| PhishUp | PhishUp prevents phishing attacks, protects your staff and your brand with AI |
| Picus Security | Run commands on Picus and automate security validation with playbooks. |
| PiHole | Pi-hole is a network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. |
| PingCastle | This integration will run a server that will listen for PingCastle XML reports. |
| PingOne | Integrates with the PingOne Management API to unlock, create, delete and update users. |
| Plain Text Feed | Fetches indicators from a plain text feed. |
| PolySwarm | Real-time threat intelligence from a crowd-sourced network of security experts and antivirus companies. |
| Popular News | Popular News integration fetches from three sources of news - Threatpost, The Hacker News and Krebs on Security. It outputs the title, links of the news articles and other metadata as a markdown table. The integration commands can either fetch the news from one source or all sources at a time. |
| Postmark Spamcheck | Postmark's spam API, Spamcheck, is a RESTfull interface to the Spam filter tool SpamAssassin. |
| PowerShell Remoting (Beta) | PowerShell Remoting is a comprehensive built-in remoting subsystem that is a part of Microsoft's native Windows management framework (WMF) and Windows remote management (WinRM). This feature allows you to handle most remoting tasks in any configuration you might encounter by creating a remote PowerShell session to Windows hosts and executing commands in the created session. The integration includes out-of-the-box commands which supports agentless forensics for remote hosts. |
| Preempt | Preempt Behavioral Firewall - Detection and enforcement based on user identity |
| Prisma Access | Integrate with Prisma Access to monitor the status of the Service, alert and take actions. |
| Prisma Access Egress IP feed | Dynamically retrieve and add to allow list IPs Prisma Access uses to egress traffic to the internet and SaaS apps. |
| Prisma Cloud (RedLock) | Cloud threat defense |
| PrismaCloud IAM | The Prisma Cloud IAM API consists of a set of API endpoints that allow customers to perform CRUD operation on their user profiles. |
| Proofpoint Feed | Detailed feed of domains and ips classified in different categories. You need a valid authorization code from Proofpoint ET to access this feed |
| Proofpoint Protection Server (Deprecated) | Deprecated. The integration uses an unsupported scraping API. Use Proofpoint Protection Server v2 instead. |
| Proofpoint Protection Server v2 | Proofpoint email security appliance. |
| Proofpoint TAP v2 | Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks. |
| Proofpoint Threat Response (Beta) | Use the Proofpoint Threat Response integration to orchestrate and automate incident response. |
| ProtectWise | Cloud based Security Network DVR |
| Public DNS Feed | A feed of known benign IPs of public DNS servers. |
| Qintel PMI | Qintel’s Patch Management Intelligence (PMI) product simplifies the vulnerability management process by providing vital context around reported Common Vulnerabilities and Exposures. With this integration, users can query PMI to surface CVEs that are known by Qintel to be leveraged by eCrime and Nation State adversaries. |
| Qintel QSentry | QSentry queries help measure the likelihood that a user is masking their identity using publicly or privately available proxy or VPN services. The returns also flag any known fraud associations. QSentry aggregates data from Qintel’s proprietary Deep and DarkWeb research, as well as from commercially available anonymization services. |
| Qintel QWatch | Qintel's QWatch system contains credentials obtained from dump sites, hacker collaboratives, and command and control infrastructures of eCrime- and APT-related malware. With this integration, users can fetch exposure alerts as incidents and discover exposed credentials associated with their organization. |
| QR Code Reader - goqr.me | Read QR Code from image file. |
| QSS | QSS integration helps you to fetch Cases from Q-SCMP and add new cases automatically through XSOAR. |
| Qualys FIM | Log and track file changes across global IT systems. |
| Qualys v2 | Qualys Vulnerability Management lets you create, run, fetch and manage reports, launch and manage vulnerability and compliance scans, and manage the host assets you want to scan for vulnerabilities and compliance. |
| Query.AI | Query.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication. |
| Quest KACE Systems Management Appliance (Beta) | Use the Comprehensive Quest KACE solution to Provision, manage, secure, and service all network-connected devices. |
| RaDark | This integration enables you to fetch incidents and manage your RaDark monitor from Cortex XSOAR. |
| Rapid7 InsightIDR | Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents. |
| Rapid7 Nexpose | Rapid7's on-premise vulnerability management solution, Nexpose, helps you reduce your threat exposure by enabling you to assess and respond to changes in your environment real time and prioritizing risk across vulnerabilities, configurations, and controls. |
| Rasterize | Converts URLs, PDF files, and emails to an image file or PDF file. |
| Recorded Future (Deprecated) | Deprecated. Use Recorded Future v2 from RecordedFuture pack instead. Unique threat intel technology that automatically serves up relevant insights in real time. |
| Recorded Future Identity | Recorded Future Identity Integration that provides access to Recorded Future Identity module data. |
| Recorded Future RiskList Feed | Ingests indicators from Recorded Future feeds into Demisto. |
| Recorded Future v2 | Unique threat intel technology that automatically serves up relevant insights in real time. |
| Red Canary | Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema which allows teams to detect, analyze and respond to security incidents. |
| Remedy On-Demand | Use Remedy On-Demand to manage tickets |
| Remote Access (Deprecated) | File transfer and execute commands via ssh, on remote machines. |
| RemoteAccess v2 | This integration transfers files between Cortex XSOAR and a remote machine and executes commands on the remote machine. |
| ReversingLabs A1000 (Deprecated) | Deprecated. Use the ReversingLabs A1000 v2 integration instead. |
| ReversingLabs A1000 v2 | ReversingLabs A1000 advanced Malware Analysis Platform. |
| ReversingLabs Ransomware and Related Tools Feed | A timely and curated threat intel list containing recent indicators extracted from ransomware and the tools used to deploy ransomware which are suitable for threat hunting or deployment to security controls. |
| ReversingLabs TitaniumCloud (Deprecated) | Deprecated. Use the ReversingLabs TitaniumCloud v2 integration instead. |
| ReversingLabs TitaniumCloud v2 | ReversingLabs TitaniumCloud provides threat analysis data from various ReversingLabs cloud services. |
| ReversingLabs TitaniumScale | ReversingLabs advanced file decomposition appliance. |
| RiskIQ Digital Footprint | The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets and analyze your digital footprint from the adversary's perspective. |
| RiskSense | RiskSense is a cloud-based platform that provides vulnerability management and prioritization to measure and control cybersecurity risk. |
| RSA Archer (Deprecated) | Deprecated. Use the RSA Archer v2 integration instead. |
| RSA Archer v2 | The RSA Archer GRC platform provides a common foundation for managing policies, controls, risks, assessments, and deficiencies across lines of business. |
| RSA NetWitness Endpoint | RSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints on and off your network. The RSA Demisto integration provides access to information about endpoints, modules and indicators. |
| RSA NetWitness Packets and Logs | RSA NetWitness Logs and Packets decoders are responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data. |
| RSA NetWitness Security Analytics | RSA Security Analytics, compatible with prior to v11. A distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. Security Analytics allows administrators to collect two types of data from the network infrastructure, packet data and log data. |
| RSA NetWitness v11.1 (Deprecated) | Deprecated. Use RSA NetWitness v11.5 instead |
| RSANetWitness v11.5 | The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSOAR Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks. |
| RSS Feed | RSS Feed reader can ingest new items as report indicators. |
| RST Cloud - Threat Feed API | This is the RST Threat Feed integration for interacting with API |
| RTIR | Request Tracker for Incident Response is a ticketing system which provides pre-configured queues and workflows designed for incident response teams. |
| Rubrik Radar | The Rubrik Radar integration will fetch the Rubrik Radar Anomaly Event and is rich with commands to perform the on-demand scans, backups, recoveries and many more features to manage and protect the organizational data. |
| Rundeck | Rundeck is a runbook automation for incident management, business continuity, and self-service operations. |- The integration enables you to install software on a list of machines or perform a task periodically. Can be used when there is a new attack and you want to perform an update of the software to block the attack. |
| SaaS Security | SaaS Security API is a cloud-based service that you can connect directly to your sanctioned SaaS applications using the cloud app’s API to provide data classification, sharing and permission visibility, and threat detection. This Content Pack provides insights into risks posed by data exposure and policy violations and enables you to use Cortex XSOAR to effectively manage the incidents discovered by SaaS Security API. |
| SaaS Security Event Collector | Palo Alto Networks SaaS Security Event Collector integration for XSIAM. |
| SafeBreach (Deprecated) | Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers. |
| SafeBreach v2 | SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses. |
| Safewalk Management | Safewalk server integration |
| Safewalk Reports | Safewalk server integration |
| SailPoint IdentityIQ | SailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices. |
| SailPoint IdentityNow | The SailPoint Identity Security platform can be configured either on-prem/single tenant SaaS, or multi-tenant. This package is intended to be used with the SaaS, multi-tenant solution, IdentityNow. |
| Salesforce | CRM Services |
| Salesforce Event Collector | Salesforce logs event collector integration for XSIAM. |
| Salesforce Fusion IAM | Integrate with Salesforce Fusion Identity Access Management service to execute CRUD (create, read, update, and delete) operations for employee lifecycle processes. |
| Salesforce IAM | Integrate with Salesforce's services to perform Identity Lifecycle Management operations. |
| SAML 2.0 | Authenticate your Cortex XSOAR users using SAML 2.0 authentication with your organization`s identity provider. |
| SAML 2.0 - ADFS as IdP | You can authenticate your Demisto users using SAML 2.0 authentication and ADFS as the identity provider. |
| SAML 2.0 - Okta as IdP | You can authenticate your Demisto users using SAML 2.0 authentication and Okta as the identity provider. |
| SAML 2.0 - PingOne as IdP | You can authenticate your XSOAR users using SAML 2.0 authentication and PingOne as the identity provider. |
| SAP - IAM | Integrate with SAP's services to execute CRUD operations for employee lifecycle processes. |
| SCADAfence CNM | fetching data from CNM |
| Screenshot Machine | Uses screenshot machine to get a screenshot |
| SecBI | A threat, intelligence, and investigation platform, enabled by automation of detection and investigation, including remediation and prevention policy enforcements on all integrated appliances. |
| Security Intelligence Services Feed | A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content and Scam Blacklist with Hourly ingestion available. |
| SecurityAdvisor | Contextual coaching and awareness for end users |
| SecurityScorecard | Provides scorecards for domains. |
| SecurityTrails | This integration provides API access to the SecurityTrails platform. |
| Securonix | Use the Securonix integration to manage incidents and watchlists. |
| SendGrid | SendGrid provides a cloud-based service that assists businesses with email delivery. It allows companies to track email opens, unsubscribes, bounces, and spam reports. Our SendGrid pack utilize these SendGrid use cases to help you send and manage your emails. |
| SentinelOne v2 | Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. |
| Sepio | Get Agent, Switches and Events from your Sepio Prime |
| Server Message Block (SMB) (Deprecated) | Deprecated. Use the Server Message Block (SMB) v2 integration instead. |
| Server Message Block (SMB) v2 | Files and Directories management with an SMB server. Supports SMB2 and SMB3 protocols. |
| Service Desk Plus | Use this integration to manage on-premises and cloud Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution. |
| Service Desk Plus (On-Premise) (Deprecated) | Deprecated. Use the Service Desk Plus instead. |
| ServiceNow (Deprecated) | Deprecated. Use the ServiceNow v2 integration instead. |
| ServiceNow CMDB | ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages. |
| ServiceNow IAM | Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes. |
| ServiceNow v2 | Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users. |
| ShiftLeft CORE | Integrate ShiftLeft CORE code analysis platform with Cortex XSOAR. |
| Shodan v2 | A search engine used for searching Internet-connected devices |
| Signal Sciences WAF | Protect your web application using Signal Sciences. |
| Silverfort | Use the Silverfort integration to get and update Silverfort risk severity. |
| Sixgill DarkFeed Enrichment | Sixgill Darkfeed Enrichment – powered by the broadest automated collection from the deep and dark web – is the most comprehensive IOC enrichment solution on the market. By enriching Palo Alto Networks Cortex XSOAR IOCs with Darkfeed, customers gain unparalleled context and essential explanations in order to accelerate their incident prevention and response and stay ahead of the threat curve. Automatically enrich Cortex XSOAR IOCs (machine to machine) via Darkfeed. Block threats and enrich endpoint protection in real-time from the Cortex XSOAR dashboard, gain contextual and actionable insights with essential explanations of Cortex XSOAR IOCs. |
| Sixgill DarkFeed Threat Intelligence | Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the XSOAR platform. |
| Skyformation (Deprecated) | Deprecated. Vendor has declared end of life for this integration. No available replacement. |
| Slack Event Collector | Slack logs event collector integration for XSIAM. |
| Slack IAM | Integrate with Slack's services to execute CRUD operations for employee lifecycle processes. |
| Slack v2 | Send messages and notifications to your Slack team. |
| Slack v3 | Send messages and notifications to your Slack team. |
| SlashNext Phishing Incident Response | SlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services. |
| SMIME Messaging | Use the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data. |
| Smokescreen IllusionBLACK | Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time. |
| SNDBOX (Deprecated) | Deprecated. No available replacement. |
| Snowflake | Analytic data warehouse provided as Software-as-a-Service. |
| SOCRadar Incidents | Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR. |
| SOCRadar Threat Feed | Retrieve indicators provided by collections via SOCRadar Threat Intelligence Feeds. |
| SOCRadar ThreatFusion | Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar. |
| SolarWinds | The SolarWinds integration interacts with the SWIS API to allow you to fetch alerts and events. It also provides commands to retrieve lists of alerts and events. |
| Sophos Central | The unified console for managing Sophos products. |
| Sophos Firewall | On-premise firewall by Sophos enables you to manage your firewall, respond to threats, and monitor what’s happening on your network. |
| Spamcop | SpamCop is an email spam reporting service, integration allow checking the reputation of an IP address |
| Spamhaus Feed | Use the Spamhaus feed integration to fetch indicators from the feed. |
| SplunkPy | Runs queries on Splunk servers. |
| SplunkPy Prerelease (Beta) | Runs queries on Splunk servers. |
| SpyCloud | With the SpyCloud integration data from breaches can be pulled and further processed in Playbooks. Filtering parameters can be used to filter the data set |
| Sumo Logic Cloud SIEM | Freeing the analyst with autonomous decisions |
| SumoLogic | Cloud-based service for logs & metrics management |
| Symantec Advanced Threat Protection | Advanced protection capabilities from Symantec |
| Symantec Blue Coat Content and Malware Analysis (Beta) | Symantec Blue Coat Content and Malware Analysis integration. |
| Symantec Data Loss Prevention (Deprecated) | Deprecated. Use the Symantec Data Loss Prevention V2 integration instead. Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information. |
| Symantec Data Loss Prevention v2 | Symantec Data Loss Prevention version 15.7 enables you to discover, monitor and protect your sensitive corporate information. |
| Symantec Endpoint Protection v2 | Query the Symantec Endpoint Protection Manager using the official REST API. |
| Symantec Managed Security Services | Leverage the power of Symantec Managed Security Services for continual threat monitoring and customized guidance 24x7 |
| Symantec Management Center | Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products. |
| Symantec Messaging Gateway | Symantec Messaging Gateway protects against spam, malware, targeted attacks and provides advanced content filtering, data loss prevention, and email encryption. |
| Synapse | Synapse intelligence analysis platform. |
| SysAid | SysAid is a robust IT management system designed to meet all of the needs of an IT department. |
| Syslog (Deprecated) | Syslog events logger. Automatically convert incoming logs to incidents. |
| Syslog Sender | Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog. |
| Syslog v2 | A Syslog server enables automatically opening incidents from Syslog clients. This integration supports filtering logs to convert to incidents, or alternatively converting all logs. |
| TaegisXDR | For integration with the Secureworks Taegis XDR platform |
| Talos Feed | Use the Talos Feed integration to get indicators from the feed. |
| Tanium | Tanium endpoint security and systems management |
| Tanium Threat Response | Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration. |
| Tanium Threat Response v2 | Use the Tanium Threat Response integration to manage endpoint processes, evidence, alerts, files, snapshots, and connections. This integration works with Tanium Threat Response version 3.0.159 and above. |
| Tanium v2 | Tanium endpoint security and systems management, filters out [current results unavailable] when returning question results |
| TAXII 2 Feed | Ingests indicator feeds from TAXII 2.0 and 2.1 servers. |
| TAXII Feed | Ingests indicator feeds from TAXII 1.x servers. |
| TAXII Server | This integration provides TAXII Services for system indicators (Outbound feed). |
| TAXII2 Server | This integration provides TAXII2 Services for system indicators (Outbound feed). |
| Tenable.io | A comprehensive asset-centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers, and web applications. |
| Tenable.sc | With Tenable.sc (formerly SecurityCenter) you get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster. |
| Thales SafeNet Trusted Access | This integration enables you to process alerts from SafeNet Trusted Access (STA) indicating security risks to end user accounts, and apply security remediation actions on SafeNet Trusted Access through security orchestration playbooks. |
| TheHive Project | Integration with The Hive Project Security Incident Response Platform. |
| Thinkst Canary | By presenting itself as an apparently benign and legitimate service(s), the Canary draws the attention of unwanted activity. When someone trips one of the Canary's triggers, an alert is sent to notify the responsible parties so that action can be taken before valubale systems in your network are compromised. |
| Threat Crowd v2 | Query Threat Crowd for reports. |
| ThreatConnect (Deprecated) | Deprecated. Use the ThreatConnect v2 integration instead. |
| ThreatConnect Feed | This integration fetches indicators from ThreatConnect. |
| ThreatConnect v2 | ThreatConnect's intelligence-driven security operations solution with intelligence, automation, analytics, and workflows. |
| ThreatExchange (Deprecated) | Deprecated. Use the ThreatExchange v2 integration instead. |
| ThreatExchange v2 | Receive threat intelligence about applications, IP addresses, URLs, and hashes. A service by Facebook. |
| ThreatMiner | Data Mining for Threat Intelligence |
| ThreatQ v2 | A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes. |
| ThreatX | The ThreatX integration allows automated enforcement and intel gathering actions. |
| Thycotic | Secret Server is the only fully featured Privileged Account Management (PAM) solution available both on premise and in the cloud. It empowers security and IT ops teams to secure and manage all types of privileged accounts and offers the fastest time to value of any PAM solution. |
| ThycoticDSV | Manage credentials for applications, databases, CI/CD tools, and services without causing friction in the development process. |
| Tidy | Tidy integration handle endpoints enviorment installation. |
| TitaniamProtect | TitaniamProtect protects incidents data inside the Cortex XSOAR platform. |
| TOPdesk | TOPdesk’s Enterprise Service Management software (ESM) lets your service teams join forces and process requests from a single platform. |
| Trello | Interact with the Trello task manager |
| Trend Micro Apex One | Trend Micro Apex One central automation to manage agents and User-Defined Suspicious Objects |
| Trend Micro Cloud App Security | Use Trend Micro Cloud App Security integration to protect against ransomware, phishing, malware, and unauthorized transmission of sensitive data for cloud applications, such as Microsoft 365, Box, Dropbox, Google G Suite and Salesforce. |
| Trend Micro Deep Security | Cloud Security Protection |
| Trend Micro Vision One | Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection. |
| Tripwire | Tripwire is a file integrity management (FIM), FIM monitors files and folders on systems and is triggered when they have changed. |
| TruSTAR (Deprecated) | Deprecated. Use the TruSTAR v2 integration instead. |
| TruSTAR v2 | TruSTAR is an Intelligence Management Platform that helps you operationalize data across tools and teams, helping you prioritize investigations and accelerate incident response. |
| Trustwave Secure Email Gateway | Trustwave SEG is a secure messaging solution that protects businesses and users from email-borne threats, including phishing, blended threats, and spam. Trustwave Secure Email Gateway also delivers improved policy enforcement and data leakage prevention. |
| TrustwaveFusion | The Trustwave Fusion platform connects your organization’s digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services including Trustwave SpiderLabs , elite team of security specialists. Your team will benefit from deep visibility and the advanced security expertise necessary for protecting assets and eradicating threats as they arise. |
| Tufin | Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack |
| Twinwave | TwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities. |
| The Twitter Integration allows users to parse Twitter for Users, Tweets, and additional info about users. Perform enhanced searches with additional search arguments. Search results are returned as a markdown table. | |
| TwitterIOCHunter Feed | Fetch the full daily feed from www.tweettioc.com/v1/tweets/daily/full |
| UBIRCH | The UBIRCH solution can be seen as an external data certification provider, as a data notary service, giving data receivers the capability to verify data they have received with regard to its authenticity and integrity and correctness of sequence. |
| Unisys Stealth | This integration is intended to aid companies in integrating with the Stealth EcoAPI service. Using the included commands, security teams can trigger dynamically isolation of users or endpoints from the rest of the Stealth network. |
| Unit 42 ATOMs Feed | Unit 42 feed of published IOCs, which contains known malicious indicators. |
| Unit 42 Intel Objects Feed | Use the Unit 42 Intel Objects Feed integration to fetch indicators from Unit 42 Intel Objects. |
| Unit42 Feed (Deprecated) | Deprecated. Use Unit42 ATOMs Feed instead. |
| Uptycs | Fetches data from the Uptycs database. |
| URLhaus | URLhaus has the goal of sharing malicious URLs that are being used for malware distribution. |
| urlscan.io | Use urlscan.io integration to perform scans on suspected URLs and see their reputation. |
| USTA | USTA is an Cyber Intelligence Platform that responds directly and effectively to today's complex cyber threats. |
| Vectra | Automated attacker behavior analytics |
| Vectra v2 | Automated attacker behavior analytics |
| Venafi | Retrieves information about certificates stored in Venafi. |
| Vertica | Analytic database management software |
| VirusTotal | VirusTotal has been updated to VirusTotal (API v3). Please use the updated version instead. Analyze suspicious hashes, URLs, domains and IP addresses. |
| VirusTotal (API v3) | Analyzes suspicious hashes, URLs, domains, and IP addresses. |
| VirusTotal - Premium (API v3) | Analyse retro hunts, read live hunt notifications and download files from VirusTotal. |
| VirusTotal - Private API | Analyze suspicious hashes, URLs, domains and IP addresses |
| VirusTotal Livehunt Feed | Use this feed integration to fetch VirusTotal Livehunt notifications as indicators. |
| VirusTotal Retrohunt Feed | Use this feed integration to fetch VirusTotal Retrohunt matches. |
| VMRay | Malware analysis sandboxing. |
| VMware | VMware vCenter server is a centralized management application that lets you manage virtual machines and ESXi hosts centrally. |
| VMware Carbon Black App Control v2 | VMware Carbon Black App Control (formerly known as Carbon Black Enterprise Protection) is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. This integration only supports Carbon Black on-premise APIs. |
| VMware Carbon Black EDR (Deprecated) | Deprecated. Use VMware Carbon Black EDR v2 instead. |
| VMware Carbon Black EDR (Live Response API) | Collect information and take action on remote endpoints in real time with VMware Carbon Black EDR (Live Response API) (formerly known as Carbon Black Enterprise Live Response). |
| VMware Carbon Black EDR v2 | VMware Carbon Black EDR (formerly known as Carbon Black Response) |
| VMware Carbon Black Endpoint Standard (Deprecated) | Deprecated. Use Carbon Black Endpoint Standard instead. |
| VMware Carbon Black Enterprise EDR | VMware Carbon Black Enterprise EDR (formerly known as Carbon Black ThreatHunter) is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter) |
| VMware Workspace ONE UEM (AirWatch MDM) | VMware Workspace ONE UEM integration allows users to search enrolled corporate or employee-owned devices, provides detailed information about each device such as its serial number, installed OS's, pending OS updates, network details, and much more leveraging Workspace ONE UEM's (formerly AirWatch MDM) API. |
| VulnDB | Lists all of the security vulnerabilities for various products (OS,Applications) etc) |
| WhatIsMyBrowser | Parse user agents and determine if they are malicious as well as enrich information about the agent |
| Whois | Provides data enrichment for domains. |
| Windows Remote Management (Beta) | Uses the Python pywinrm library and commands to execute either a process or using Powershell scripts. |
| Wiz | Agentless cloud security. |
| Wolken ITSM | Use The Wolken IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users. |
| WootCloud | Append HyperContext™ insights to your SIEM data and feed them into your orchestration workflows. |
| Workday | Workday offers enterprise-level software solutions for financial management, human resources, and planning. |
| Workday IAM | Use the Workday IAM Integration as part of the IAM premium pack. |
| Workday IAM Event Generator (Beta) | Generates mock reports and events for Workday IAM. Use these for testing and development. |
| XM Cyber | XMCyber continuously finds attack vectors to critical assets. This integration fetches events (incidents) on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident. |
| xMatters | This is an integration for using xMatters. |
| XSOAR Mirroring | Facilitates mirroring of XSOAR incidents between different XSOAR tenants. |
| XSOAR Storage | Facilitates the storage and retrieval of key/value pairs within XSOAR. |
| Xsoar_Utils | This is a wrapper on top of XSOAR API. Can be used to implement commands that call the XSOAR API in the background. This is mostly to avoid constructing raw json strings while calling the demisto rest api integration. The first implemented command can be used to create an entry on any investigation; playground by default. An example use-case could be debugging a pre-process script. (Call demisto.execute_command("xsoar-create-entry",{arguments}) The idea is to use the same code to test from a local machine. python3 Xsoar_Utils.py xsoar-create-entry '{"data":"# testapi4","inv_id":"122c7bff-feae-4177-867e-37e2096cd7d9"}' Read the code to understand more. |
| Zabbix | Allow integration with Zabbix api |
| ZeroFox | Cloud-based SaaS to detect risks found on social media and digital channels. |
| ZeroTrustAnalyticsPlatform | Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service. |
| Zimperium | Fetch and investigate mobile security alerts, generated based on anomalous or unauthorized activities detected on a user's mobile device. |
| Zoom | Use the Zoom integration manage your Zoom users and meetings |
| Zoom Feed (Beta) | Use the Zoom Feed integration to get indicators from the feed. |
| Zoom_IAM | An Identity and Access Management integration template. |
| Zscaler Internet Access | Zscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address allow lists and block lists, manage and update categories, get Sandbox reports, and manually log in, log out, and activate changes in a Zscaler session. |
Playbooks#
| Name | Description |
|---|---|
| Abuse Inbox Management Detect & Respond | When combined with ‘SlashNext Abuse Management Protection’, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP, found in the original email, it searches and remediates other emails containing the same IOCs. |
| Abuse Inbox Management Protection | Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date |
| Access Investigation - Generic | This playbook investigates an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action. |
| Access Investigation - Generic - NIST | This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Block IP - Generic v2 - NIST - Lessons Learned |
| Access Investigation - QRadar | This playbook uses the QRadar integration to investigate an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action. |
| Accessdata: Dump memory for malicious process | Use as a sub-playbook to dump memory if given process is running on legacy AD agent |
| Account Enrichment | Deprecated. Use the "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich the accounts under the Account context key with details from relevant integrations such as AD. |
| Account Enrichment - Generic | Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich Accounts using one or more integrations |
| Account Enrichment - Generic v2 | Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich accounts using one or more integrations. Supported integrations - - Active Directory |
| Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations. Supported integrations: - Active Directory |
| Acquire And Analyze Host Forensics | This playbook enables gathering forensic data from a host and analyzing the acquired data by using the relevant forensics automations. |
| ACTI Block High Severity Indicators | Deprecated. No available replacement. |
| ACTI Block Indicators from an Incident | Deprecated. No available replacement. |
| ACTI Create Report-Indicator Associations | Deprecated. No available replacement. |
| ACTI Incident Enrichment | This playbook enriches Intelligence Alerts, Intelligence Reports, Malware Families, Threat Actors, Threat Groups & Threat Campaigns |
| ACTI Indicator Enrichment | Deprecated. No available replacement. |
| ACTI Report Enrichment | Deprecated. No available replacement. |
| ACTI Vulnerability Enrichment | Deprecated. No available replacement. |
| Active Directory - Get User Manager Details | Takes an email address or a username of a user account in Active Directory, and returns the email address of the user's manager. |
| Active Directory Investigation | Active Directory Investigation playbook provides tools and guidance to investigate changes and manipulation in Active Directory containers, ACLs, Schema, and objects. This playbook uses a 3rd party tool provided by Microsoft to scan the Active Directory access list, trees, and objects. Additional investigative information is provided for manual investigation. |
| Add Indicator to Miner - Palo Alto MineMeld | Deprecated. Add indicators to the relevant Miner using MineMeld. |
| Add Unknown Indicators To Inventory - RiskIQ Digital Footprint | Adds the unknown indicators or updates/removes the indicators identified as a known asset in the RiskIQ Digital Footprint inventory according to the user inputs for each asset. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example reputation:None etc. The purpose of the playbook is to check if the indicators with the unknown reputation are known assets. The default playbook query is "reputation:None". In case indicators with different reputations are to be added to the inventory, the query must be edited accordingly. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint |
| Agari Message Remediation - Agari Phishing Defense | Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari. |
| Akamai WAF - Activate Network Lists | Activates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested enviorment. |
| Allow IP - Okta Zone | Sync a list of IP addresses to the Okta Network Zone with the given ID. Existing IPs in the Okta Zone which are not in the input list will be removed and the indicator will be untagged in Cortex XSOAR. IDs can be retrieved using !okta-list-zones. This playbook supports CIDR notation only (1.1.1.1/32) and not range notation (1.1.1.1-1.1.1.1) |
| Analyze URL - ReversingLabs TitaniumCloud | Get threat intelligence data for the submitted URL. Required TitaniumCloud API rights: TCA-0403 TCA-0402 |
| Anomali Enterprise Forensic Search | Initiates a Forensic Search on IOCs in Anomali Match. |
| Arcanna-Generic-Investigation | Automatically triage alert using Arcanna.Ai Machine Learning capabilities closing or assign incidents to analysts based on ML decision |
| Arcanna-Generic-Investigation-V2-With-Feedback | Alert Triage using Arcanna.Ai Machine Learning capabilities and reinforcement learning by offerring analyst feedback to incidents closed |
| Archer initiate incident | initiate Archer incident |
| Arcsight - Get events related to the Case | Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID. Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them. |
| Armis Alert Enrichment | Enrich Armis alerts with the devices in the context details. |
| Armorblox Needs Review | This playbook sends email alerts to admins for Armorblox incidents that need review. |
| Assign Active Incidents to Next Shift V2 | This playbook reassigns Active Incidents to the current users on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time. You can update the playbook input with a different search query, if required. Will branch if there are no incidents that match the query and no users on call. Cases will not be assigned to users that defined OOO (by OutOfOffice automation). |
| ATD - Detonate File | Detonates a File using the McAfee Advanced Threat Defense sandbox. Advanced Threat Defense supports the following File Types: 32-bit Portable Executables (PE)files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi Microsoft Office Suite documents doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar Just Systems Ichitaro documents jtd, jtdc Adobe pdf, swf Compressed files gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar Android application package apk, Java, JAR, CLASS, Java Script, Java bin files Image files jpeg, png, gif Other file types cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh |
| Auto Add Assets - RiskIQ Digital Footprint | This playbook automatically adds the provided asset(s) to the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to add multiple assets. Supported integration: - RiskIQ Digital Footprint |
| Auto Update Or Remove Assets - RiskIQ Digital Footprint | This playbook automatically updates or removes the provided asset(s) from the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to update or remove multiple assets. Supported integration: - RiskIQ Digital Footprint |
| Autofocus Query Samples, Sessions and Tags | This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input. The playbook supports searching both the Samples API and the sessions API. |
| AutoFocusPolling | Use this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: 1. Initiate the operation. 2. Poll to check if the operation completed. 3. (optional) Get the results of the operation. |
| AWS IAM - User enrichment | Enrich AWS IAM user information from AWS Identity and Access Management. - List user access keys - Get user information |
| AWS IAM User Access Investigation | Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content. |
| AWS IAM User Access Investigation - Remediation | Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content. |
| Azure Log Analytics - Query From Saved Search | Executes a query from a saved search in Azure Log Analytics. |
| Block Account - Generic | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher. |
| Block Domain - FireEye Email Security | This playbook blocks domains using FireEye Email Security. The playbook checks whether the FireEye Email Security integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Generic | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One * Proofpoint Threat Response |
| Block Domain - Proofpoint Threat Response | This playbook blocks domains using Proofpoint Threat Response. The playbook checks whether the Proofpoint Threat Response integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Symantec Messaging Gateway | This playbook blocks domains using Symantec Messaging Gateway. The playbook checks whether the Symantec Messaging Gateway integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Trend Micro Apex One | This playbook blocks domains using Trend Micro Apex One. The playbook checks whether the Trend Micro Apex One integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Zscaler | This playbook blocks domains using Zscaler. The playbook checks whether the Zscaler integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Email - Generic | This playbook will block emails at your mail relay integration. |
| Block Endpoint - Carbon Black Response | Carbon Black Response - isolate an endpoint, given a hostname. |
| Block File - Carbon Black Response | This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the integration is disabled at the time of running, or if the hash is already on the block list, no action is taken on the MD5. |
| Block File - Cybereason | This playbook accepts an MD5 hash and blocks the file using the Cybereason integration. |
| Block File - Cylance Protect v2 | This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration. |
| Block File - Generic | Deprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response. |
| Block File - Generic v2 | This playbook is used to block files from running on endpoints. This playbook supports the following integrations: - Palo Alto Networks Traps - Palo Alto Networks Cortex XDR - Cybereason - Carbon Black Enterprise Response - Cylance Protect v2 |
| Block Indicators - Generic | Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead. This playbook blocks malicious indicators using all integrations that are enabled. Supported integrations for this playbook: Active Directory Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks Panorama Zscaler Carbon Black Enterprise Response |
| Block Indicators - Generic v2 | This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic - Block Account - Generic - Block IP - Generic v2 - Block File - Generic v2 |
| Block IOCs from CSV - External Dynamic List | Deprecated. Use Generic Export Indicators Service instead. |
| Block IP - Generic | Deprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks Panorama Zscaler |
| Block IP - Generic v2 | This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler * FortiGate |
| Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing) Note the following: - some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. - Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall Palo Alto Networks PAN-OS Zscaler FortiGate Aria Packet Intelligence Cisco Firepower Cisco Secure Cloud Analytics Cisco ASA Akamai WAF F5 SilverLine ThreatX Signal Sciences WAF * Sophos Firewall |
| Block URL - Generic | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks Minemeld Palo Alto Networks PAN-OS * Zscaler |
| Bonusly - AutoGratitude | AutoGratitude is a playbook to give back a positive gratitude to security engineers and developers when they successfully complete an SLA |
| Brute Force Investigation - Generic | This playbook investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation. The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. * Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Calculate Severity - Critical Assets v2 - Isolate Endpoint - Generic - Block Indicators - Generic v2 |
| Brute Force Investigation - Generic - SANS | This playbook investigates a "Brute Force" incident by gathering user and IP information, and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation. This is done based on the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. * Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Calculate Severity - Critical Assets v2 - Isolate Endpoint - Generic - Block Indicators - Generic v2 - SANS - Lessons Learned ***Disclaimer: This playbook does not ensure compliance to SANS regulations. |
| Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration | This playbook gets all available devices from PANW IoT Cloud and updates/creates endpoints with custom attributes in ServiceNow. |
| Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration | This playbook gets all available device inventory from PANW IoT Cloud and updates/create endpoints with custom attributes on Cisco ISE. |
| Bulk Export to SIEM - PANW IoT 3rd Party Integration | This playbook gets all available assets ( alerts, vulnerabilities and devices) and send then to configured PANW third-party integration SIEM server. |
| C2SEC-Domain Scan | Launches a C2sec scan by domain name and waits for the scan to finish by polling its status in pre-defined intervals. |
| Calculate Severity - 3rd-party integrations | Calculates the incident severity level according to the methodology of a 3rd-party integration. |
| Calculate Severity - Critical assets | Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group. |
| Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups. |
| Calculate Severity - Generic | Deprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations: Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore. Critical assets - Determines if a critical assest is associated with the invesigation. * 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration. NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe. |
| Calculate Severity - Generic v2 | Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers |
| Calculate Severity - GreyNoise | Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators - Current incident severity |
| Calculate Severity - Indicators DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
| Calculate Severity - Standard | Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook. |
| Calculate Severity By Email Authenticity | Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script. |
| Calculate Severity By Highest DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
| Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise | Playbook to calculate the severity based on GreyNoise |
| Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise | Playbook to calculate the severity based on GreyNoise |
| California - Breach Notification | This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Source: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82. |
| Carbon Black EDR Search Process | Use this playbook to search processes in Carbon Black Enterprise EDR. This playbook implements polling by continuously running the `cb-eedr-process-search-results` command until the operation completes. |
| Carbon black Protection Rapid IOC Hunting | Hunt for endpoint activity involving hash and domain IOCs, using Carbon black Protection (Bit9). |
| Carbon Black Rapid IOC Hunting | Deprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black |
| Carbon Black Response - Unisolate Endpoint | This playbook unisolates sensors according to the sensor ID that is provided in the playbook input. |
| Change Management | If you are using PAN-OS/Panorama firewall and Jira or ServiceNow as a ticketing system this playbook is a perfect match for your change management for Firewall process. This playbook can be triggered by 2 different options - a fetch from ServiceNow or Jira - and will help you manage and automate your change management process. |
| Check For Content Installation | This playbook checks for content updates. |
| Check Indicators For Unknown Assets - RiskIQ Digital Footprint | This playbook receives indicators from its parent playbook and checks if the indicator is an unknown or a known asset in the RiskIQ Digital Footprint inventory and gives out a list of the unknown as well as known assets. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint |
| Check IP Address For Whitelisting - RiskIQ Digital Footprint | Checks if the provided IP Address should be added to allow list and excluded or not. Use this playbook as a sub-playbook to loop over multiple IP Addresses to check if they should be added to allow list and excluded. |
| Checkpoint - Block IP - Append Group | The playbook receives malicious IP addresses as inputs, checks if the object group exists (if not, the object group is created), and appends the related IPs to that object. If you have not assigned the appended group to a rule in your firewall policy, you can use `rule_name` and the playbook creates a new rule. |
| Checkpoint - Block IP - Custom Block Rule | This playbook blocks IP addresses using Custom Block Rules in Check Point Firewall. The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and publishes the configuration. |
| Checkpoint - Block URL | This playbook blocks URLs using Check Point Firewall through Custom URL Categories. The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it creates the category, blocks the URLs, and publishes the configuration. |
| Checkpoint - Publish&Install configuration | Publish the Check Point Firewall configuration and install policy on all available gateways. |
| Checkpoint Firewall Configuration Backup Playbook | Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP. |
| ChronicleAsset Investigation - Chronicle | This playbook receives indicators from its parent playbook, performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and gives out a list of isolated and blocked entities. This playbook also lists the events fetched for the asset identifier information associated with the indicator. |
| ChronicleAssets Investigation And Remediation - Chronicle | Performs enrichment and investigation of the ChronicleAsset type of indicators, provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address is found to be malicious or suspicious, and sends out an email containing the list of isolated and potentially blocked entities. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example, type:ChronicleAsset etc. The default playbook query is "type:ChronicleAsset". In case indicators with different query parameters are to be investigated, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integration’s API license when running large amounts of indicators. |
| CimTrak - Example - Analyze Intrusion | Example to analyze intrusion |
| CimTrak - Example - Scan Compliance By IP | Example on how to run a compliance scan for an agent based on IP address |
| Cisco FirePower- Append network group object | This playbook will append a network group object with new elements (IPs or network objects). |
| Cloud IDS-IP Blacklist-GCP Firewall_Append | Set a list of IP addresses in GCP firewall. |
| Cloud IDS-IP Blacklist-GCP Firewall_Combine | Set a list of IP addresses in GCP firewall. |
| Cloud IDS-IP Blacklist-GCP Firewall_Extract | Get Source IP |
| CloudConvert - Convert File | Use this playbook to convert a file to the required format using CloudConvert. |
| Cluster Report Categorization - Cofense Triage v3 | Cluster Report Categorization playbook is used to retrieve the reports of specific clusters and perform the categorization of reports. |
| Code42 Add Departing Employee From Ticketing System | Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command `jira-get-issue` to be `zendesk-ticket-details` and use the `id` parameter for `issueId`. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk. |
| Code42 Copy File To Ticketing System | Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command `jira-issue-upload-file` to be `servicenow-upload-file` and use the `id` parameter for `issueId` and `file_id` for `entryId`. |
| Code42 Exfiltration Playbook | The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints. |
| Code42 File Download | This playbook downloads a file via Code42 by either MD5 or SHA256 hash. |
| Code42 File Search | This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use. |
| Code42 Suspicious Activity Action | Take corrective actions against a Code42 user found to be exposing file data. |
| Code42 Suspicious Activity Review | Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold. |
| Codecov Breach - Bash Uploader | This playbook includes the following tasks: - Search for the Security Notice email sent from Codecov. - Collect indicators to be used in your threat hunting process. - Query network logs to detect related activity. - Search for the use of Codecov bash uploader in GitHub repositories - Query Panorama to search for logs with related anti-spyware signatures - Data Exfiltration Traffic Detection - Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice |
| Command-Line Analysis | This playbook takes the command line from the alert and performs the following actions: - Checks for base64 string and decodes if exists - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: 1. Indicators found in the command line 2. Found AMSI techniques 3. Found suspicious parameters 4. Usage of malicious tools 5. Indication of network activity |
| Compromised Credentials Match - Flashpoint | Compromised Credentials Match playbook uses the details of the compromised credentials ingested from the Flashpoint and authenticates using the Active Directory integration by providing the compromised credentials of the user, expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: - Flashpoint - OpenLDAP - Active Directory Query v2 |
| Configuration Setup | Playbook for the configuration incident type. |
| Containment Plan | This playbook handles all the containment actions available with Cortex XSIAM, including: Isolate endpoint Disable account Quarantine file Block indicators * Clear user session (currently, the playbook supports only Okta) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Content Update Check | Deprecated. Use "Content Update Manager" playbook instead. This playbook will check to see if there are any content updates available for installed packs and notify users via e-mail or Slack. |
| Content Update Manager | This playbook checks for any available content updates for selected installed content packs and notifies users via e-mail or Slack. It also contains an auto-update flow that lets users decide via playbook inputs or communication tasks if they want to trigger an auto-update process to install all updates that were found. This playbook can be used as a Cortex XSOAR job to help users track marketplace pack updates and install them regularly. |
| Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
| Continuously Process Survey Responses | Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Continuously processes new questionnaire responses as they are received. |
| Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations. |
| Cortex ASM - ASM Alert | This playbook aims to provide enrichment of ASM alerts by searching for mentions of associated IP addresses within other security and IT tools. |
| Cortex ASM - CMDB Enrichment | This playbook will look up a CI in ServiceNow CMDB by IP. |
| Cortex ASM - Extract IP Indicator | Identifies IPv4 Address associated with Alert and creates a new Indicator. |
| Cortex ASM - Vulnerability Management Enrichment | This playbook will look up an IP address in Tenable.io or Rapid7 InsightVM. |
| Cortex XDR - AWS IAM user access investigation | Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve. |
| Cortex XDR - Block File | Use this playbook to add files to Cortex XDR block list with a given file SHA256 playbook input. |
| Cortex XDR - Check Action Status | Checks the action status of an action ID. \nEnter the action ID of the action whose status you want to know. |
| Cortex XDR - check file existence | Initiates a new endpoint script execution to check if the file exists and retrieve the results. |
| Cortex XDR - delete file | Initiates a new endpoint script execution to delete the specified file and retrieve the results. |
| Cortex XDR - Endpoint Investigation | This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Cortex XDR - Execute commands | Initiates a new script execution of shell commands. |
| Cortex XDR - Execute snippet code script | Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results. |
| Cortex XDR - False Positive Incident Handling | This Playbook handles false-positive incident closure for Cortex XDR - Malware investigation. |
| Cortex XDR - Isolate Endpoint | This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration. |
| Cortex XDR - kill process | Initiates a new endpoint script execution kill process and retrieves the results. |
| Cortex XDR - Malware Investigation | Investigates a Cortex XDR incident containing internal malware alerts. The playbook: - Enriches the infected endpoint details. - Lets the analyst manually retrieve the malicious file. - Performs file detonation. The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’ |
| Cortex XDR - Port Scan | Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: - Syncs data with Cortex XDR - Enriches the hostname and IP address of the attacking endpoint - Notifies management about host compromise - Escalates the incident in case of lateral movement alert detection - Hunts malware associated with the alerts across the organization - Blocks detected malware associated with the incident - Blocks IPs associated with the malware - Isolates the attacking endpoint - Allows manual blocking of ports that were used for host login following the port scan |
| Cortex XDR - Port Scan - Adjusted | Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: - Syncs data with Cortex XDR. - Notifies management about a compromised host. - Escalates the incident in case of lateral movement alert detection. The playbook is designed to run as a sub-playbook in 'Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling'. It depends on the data from the parent playbooks and can not be used as a standalone version. |
| Cortex XDR - PrintNightmare Detection and Response | The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE This playbook includes the following tasks: - Containment of files, endpoints, users and IP Addresses - Enrichment of indicators - Data acquisition of system info and files using Cortex XDR - Eradicating compromised user credentials ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| Cortex XDR - quarantine file | |
| Cortex XDR - Retrieve File Playbook | Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. Inputs for this playbook are: - A comma-separated list of endpoint IDs. - A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required. |
| Cortex XDR - Run script | Initiates a new endpoint script execution action using a provided script unique id from Cortex XDR script library. |
| Cortex XDR - True Positive Incident Handling | This Playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation. |
| Cortex XDR - Unisolate Endpoint | This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input. |
| Cortex XDR Alerts Handling | This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan |
| Cortex XDR device control violations | Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. All the collected data will be displayed in the XDR device control incident layout. This playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users. |
| Cortex XDR disconnected endpoints | A Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input. The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints. The report will be sent to the recipient's provided email addresses in the playbook input. The playbook includes an incident type with a dedicated layout to visualize the collected data. To set the job correctly, you will need to. 1. Create a new recurring job. 2. Set the recurring schedule. 3. Add a name. 4. Set type to Cortex XDR disconnected endpoints. 5. Set this playbook as the job playbook. https://xsoar.pan.dev/docs/incidents/incident-jobs The scheduled run time and the timestamp relative date should be identical, If the job is recurring every 7 days, the time range should be 7 days as well. |
| Cortex XDR Incident Handling | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically. *** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0. For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually. |
| Cortex XDR incident handling v2 | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. |
| Cortex XDR incident handling v3 | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident. |
| Cortex XDR Incident Sync | Compares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0. |
| Cortex XDR Malware - Incident Enrichment | This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout. |
| Cortex XDR Malware - Investigation And Response | This playbook investigates Cortex XDR malware incidents. It uses: - Cortex XDR insights - Command Line Analysis - Dedup - Sandbox hash search and detonation - Cortex XDR enrichment - Incident Handling ( True/False Positive) |
| Courses of Action - Collection | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1005 - Data from Local System - Kill Chain phase: - Collection MITRE ATT&CK Description: The adversary is attempting to gather data of interest to accomplish their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Command and Control | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0011: command and control MITRE ATT&CK Description: The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Credential Access | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0006: Credential Access MITRE ATT&CK Description: The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Defense Evasion | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0005: Defense Evasion MITRE ATT&CK Description: The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Discovery | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0007: Discovery MITRE ATT&CK Description: The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Execution | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0002: Execution MITRE ATT&CK Description: The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Exfiltration | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0010: Exfiltration MITRE ATT&CK Description: The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Impact | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0040: Impact MITRE ATT&CK Description: The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Initial Access | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0001: Initial Access MITRE ATT&CK Description: The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Lateral Movement | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0008: Lateral Movement MITRE ATT&CK Description: The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Persistence | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0003: Persistence MITRE ATT&CK Description: The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Privilege Escalation | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0004: Privilege Escalation MITRE ATT&CK Description: The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level• local administrator• user account with admin-like access • user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Create Jira Issue | Create Jira issue allows you to open new issues. When creating the issue, you can decide to update based on on the issue's state, which will wait for the issue to resolve or close with StatePolling. Alternatively, you can select to mirror the Jira issue and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none When creating Jira issues through XSOAR, using the mirroring function, make sure that you exclude those issues when fetching incidents. To exclude these issues, tag the relevant issues with a dedicated label and exclude that label from the JQL query (Labels!=). |
| Create ServiceNow Ticket | Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none. |
| CrowdStrike Endpoint Enrichment | Deprecated. Use CrowdStrike Falcon instead. |
| CrowdStrike Falcon - False Positive Incident Handling | This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it. |
| CrowdStrike Falcon - Get Detections by Incident | This playbook enables getting CrowdStrike Falcon detection details based on the CrowdStrike incident ID. |
| CrowdStrike Falcon - Get Endpoint Forensics Data | This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections. |
| Crowdstrike Falcon - Isolate Endpoint | This playbook will auto isolate endpoints by the device ID that was provided in the playbook. |
| CrowdStrike Falcon - Retrieve File | This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved. |
| CrowdStrike Falcon - Search Endpoints By Hash | This playbook searches across the organization for other endpoints associated with a specific SHA256 hash. |
| CrowdStrike Falcon - SIEM ingestion Get Incident Data | This playbook handles incident ingestion from a SIEM. The user provides the field for the incident ID or detection ID and the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type. |
| CrowdStrike Falcon - True Positive Incident Handling | This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it. |
| Crowdstrike Falcon - Unisolate Endpoint | This playbook unisolates devices according to the device ID that is provided in the playbook input. |
| CrowdStrike Falcon Malware - Incident Enrichment | This playbook enables enriching CrowdStrike Falcon incidents by pivoting to their detections as well as mapping all the relevant data to the Cortex XSOAR incident fields. |
| CrowdStrike Falcon Malware - Investigation and Response | This playbook covers a detailed flow of handling a CrowdStrike Falcon malware investigation, including: - Extracting and displaying MITRE data from the EDR and sandboxes - Deduplicatimg similar incidents - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. - Verifying the actions taken by the EDR - Analyzing the command line - Searching for the relevant hashes in additional hosts in the organization - Retrieving data about the host, including process list and network connections - Performing containment and mitigation actions as part of handling false/true positives - Setting the relevant layouts |
| CrowdStrike Falcon Malware - Verify Containment Actions | This playbook verifies and sets the policy actions applied by CrowdStrike Falcon. |
| CrowdStrike Falcon Sandbox - Detonate file | Deprecated. Use the cs-falcon-sandbox-submit-file command with polling=true instead. |
| CrowdStrike Rapid IOC Hunting | Deprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found. |
| CrowdStrike Rapid IOC Hunting v2 | Deprecated. Use CrowdStrike Falcon instead. |
| CVE Enrichment - Generic | Deprecated. Use "CVE Enrichment - Generic v2" playbook instead. Enrich CVE using one or more integrations. |
| CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations: - VulnDB - CVE Search - IBM X-Force Exchange |
| CVE Exposure - RiskSense | Block IPs and apply the tag to assets that are vulnerable to the specified CVE. |
| CVE-2021-22893 - Pulse Connect Secure RCE | On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds * Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities |
| CVE-2021-34527 | CVE-2021-1675 - PrintNightmare | The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: - Manual actions to mitigate the exploit - Search Vulnerable Devices using the CVE - Query SIEM, FW, XDR to detect malicious activity and compromised hosts - Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| CVE-2021-40444 - MSHTML RCE | CVE-2021-4044 refers to the MSHTML engine, that has been found vulnerable to arbitrary code execution by a specially crafted Microsoft Office document or rich text format file. Mitigations: Microsoft official patch addressing CVE-2021-40444 Several workarounds suggested by Microsoft. Researchers have validated this attack triggered in Windows Explorer with “Preview Mode” enabled, even in just a rich-text format RTF file (not an Office file and without ActiveX). This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation mentioned above. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, Files and Process creation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Block indicators automatically or manually. Provide workarounds and detection capabilities. * Microsoft official CVE-2021-40444 patch. More information: Microsoft MSHTML Remote Code Execution Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| CVE-2021-44228 - Log4j RCE | Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Affected Version Apache Log4j 2.x <= 2.17.0 This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Collect related known indicators from several sources. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Search for possible vulnerable servers using Xpanse and Prisma Cloud. Block indicators automatically or manually. Mitigations: Apache official CVE-2021-44228 patch. Unit42 recommended mitigations. Detection Rules. Snort Suricata Sigma Yara Zeek Intel More information: Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| CVE-2022-26134 - Confluence RCE | Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability. Atlassian has released the following versions to address this issue: Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 which contain a fix for this issue. This playbook includes the following tasks: Collect detection rules. Exploitation patterns & IoCs hunting using PANW Next-Generation Firewalls and 3rd party SIEM products. Cortex Xpanse policies coverage. Provides Atlassian workarounds and patched versions. More information: Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) Confluence Security Advisory 2022-06-02 Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| CVE-2022-30190 - MSDT RCE | On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| Cyberpion Domain State | Allows analyst to get basic information about the domain |
| CyberTotal Auto Enrichment - CyCraft | This playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores. |
| CyberTotal Whois - CyCraft | This playbook is used to automatically retrieve Whois information regarding IPs, URLs and domains. Playbook input: IPs, URLs, domains. Playbook output: Whois lookup information. |
| Cyble Intel Alert | This is a playbook which will handle the alerts coming from the Cyble Events service |
| Cyren Inbox Security Default | Processes Cyren Incidents, sets resolutions, and applies remediations to end-user mailboxes. |
| D2 - Endpoint data collection | Uses Demisto's d2 agent to collect data from an endpoint for IR purposes. Input: Hostname (default: ${Endpoint.Hostname}) OS (default: windows) Credentials (default: Admin) Path (default: None) |
| Darkfeed - malware download from feed | Set this playbook as an automated job in order to automatically download malware from new Darkfeed IOCs and run them through the "Darkfeed IOC detonation and proactive blocking" playbook |
| Darkfeed IOC detonation and proactive blocking | Download malicious files from a Darkfeed IOC, detonate them in automated sandboxes, and extract and block any additional indicators and files. |
| Darkfeed Threat hunting-research | Automatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network. |
| DBot Create Phishing Classifier | Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Create a phishing classifier using machine learning technique, based on email content |
| DBot Create Phishing Classifier Job | Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week. |
| DBot Create Phishing Classifier V2 | Create a phishing classifier using machine learning techniques, based on email content. |
| DBot Create Phishing Classifier V2 Job | Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week. |
| DBot Indicator Enrichment - Generic | Get indicators internal Dbot score |
| Dedup - Generic | Deprecated. Use "Dedup - Generic v2" playbook instead. This playbook identifies duplicate incidents using one of the supported methods. |
| Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods. |
| Dedup - Generic v3 | This playbook identifies duplicate incidents using one of the supported methods. Select one of the following methods to identify duplicate incidents in Cortex XSOAR. - ml: Machine learning model, which is trained mostly on phishing incidents. -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing incidents. For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident. |
| Dedup - Generic v4 | This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database. Note: To identify similar incidents you must must properly define the playbook inputs. |
| DeDup incidents | Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found. |
| DeDup incidents - ML | Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation. |
| DeepL Translate Document | |
| Default | This playbook executes when no other playbook is associated with an incident. It enriches indicators in an incident using one or more integrations. |
| Demisto Self-Defense - Account policy monitoring playbook | Deprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found. |
| Detect & Manage Phishing Campaigns | This playbook is used to find, create and manage phishing campaigns. When a number of similar phishing incidents exist in the system, the playbook can be used to do the following: 1. Find and link related incidents to the same phishing attack (a phishing campaign). 2. Search for an existing Phishing Campaign incident, or create a new incident for the linked Phishing incidents. 3. Link all detected phishing incidents to the Phishing Campaign incident that was found or that was created previously. 4. Update the Phishing Campaign incident with the latest data about the campaign, and update all related phishing incidents to indicate that they are part of the campaign. |
| Detonate and Analyze File - Generic | This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon X and Wildfire. |
| Detonate File - ANYRUN | Detonates one or more files using the ANYRUN sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported. |
| Detonate File - BitDam | Detonates one or more files using BitDam integration. Returns verdict to the War Room and file reputations to the context data. Supported file types are mainly PDF & microsoft office software/ |
| Detonate File - CrowdStrike Falcon X | Detonates a File using CrowdStrike Falcon X sandbox. Accepted file formats: Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub APK Executable JAR Windows script component: .sct Windows shortcut: .lnk Windows help: .chm HTML application: .hta Windows script file: .wsf Javascript: .js Visual Basic: .vbs, .vbe Shockwave Flash: .swf Perl: .pl Powershell: .ps1, .psd1, .psm1 Scalable vector graphics: .svg Python: .py Linux ELF executables Email files: MIME RFC 822 .eml, Outlook .msg. |
| Detonate File - Cuckoo | Detonating file with Cuckoo |
| Detonate File - FireEye AX | Detonate one or more files using the FireEye AX integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM, JPG, JPEG, GIF, PNG, XLSX |
| Detonate File - FireEye Detection on Demand | Detonate one or more files using the FireEye Detection on Demand integration. This playbook returns relevant reports to the War Room and file reputations to the context data. |
| Detonate File - Generic | Detonate file through active integrations that support file detonation |
| Detonate File - Group-IB TDS Polygon | Detonate file using Group-IB THF Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types: 7z, ace, ar, arj, bat, bz2, cab, chm, cmd, com, cpgz, cpl, csv, dat, doc, docm, docx, dot, dotm, dotx, eml, exe, gz, gzip, hta, htm, html, iqy, iso, jar, js, jse, lnk, lz, lzma, lzo, lzh, mcl, mht, msg, msi, msp, odp, ods, odt, ots, ott, pdf, pif, potm, potx, pps, ppsm, ppsx, ppt, pptm, pptx, ps1, pub, py, pyc, r, rar, reg, rtf, scr, settingcontent-ms, stc, svg, sxc, sxw, tar, taz, .tb2, .tbz, .tbz2, tgz, tlz, txz, tzo, txt, url, uue, vbe, vbs, wsf, xar, xls, xlsb, xlsm, xlsx, xml, xz, z, zip. |
| Detonate File - HybridAnalysis | Detonates one or more files using the Hybrid Analysis integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported. |
| Detonate File - JoeSecurity | Detonates one or more files using the Joe Security - Joe Sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported. |
| Detonate File - Lastline | Detonates a File using the Lastline sandbox. Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH |
| Detonate File - Lastline v2 | Detonates a File using the Lastline sandbox. Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH |
| Detonate File - ReversingLabs A1000 | Upload sample to ReversingLabs A1000 appliance and automatically retrieve full & classification reports. Calculate final classification. |
| Detonate File - ReversingLabs TitaniumScale | Upload sample to ReversingLabs TitaniumScale instance and retrieve the analysis report. |
| Detonate File - SNDBOX | Deprecated. No available replacement. |
| Detonate File - ThreatGrid | Detonate one or more files using the ThreatGrid integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM |
| Detonate File - ThreatStream | Detonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data. |
| Detonate File - VMRay | Detonates a file with VMRay. |
| Detonate File From URL - ANYRUN | Detonates one or more remote files using the ANYRUN sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. This type of analysis works only for direct download links. |
| Detonate File From URL - JoeSecurity | Detonates one or more remote files using the Joe Security sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. This type of analysis is available for Windows only and works only for direct download links. |
| Detonate File From URL - WildFire | Detonate one or more files using the Wildfire integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z |
| Detonate Remote File from URL - McAfee ATD | Detonates a File from a URL using the McAfee Advanced Threat Defense sandbox integration. |
| Detonate URL - ANYRUN | Detonates one or more URLs using the ANYRUN sandbox integration. Returns relevant reports to the War Room and url reputations to the context data. |
| Detonate URL - CrowdStrike | Deprecated. Use the cs-falcon-sandbox-submit-url command with polling=true instead. |
| Detonate URL - CrowdStrike Falcon X | Detonate one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data. |
| Detonate URL - Cuckoo | Detonating URL with Cuckoo |
| Detonate URL - Generic | Detonate URL through active integrations that support URL detonation. |
| Detonate URL - Group-IB TDS Polygon | Detonate URL using Group-IB THF Polygon integration. |
| Detonate URL - JoeSecurity | Detonates one or more URLs using the Joe Security sandbox integration. Returns relevant reports to the War Room and url reputations to the context data. |
| Detonate URL - Lastline | Detonates a URL using the Lastline sandbox integration. |
| Detonate URL - Lastline v2 | Detonates a URL using the Lastline sandbox integration. |
| Detonate URL - McAfee ATD | Detonates a URL using the McAfee Advanced Threat Defense sandbox integration. |
| Detonate URL - Phish.AI | Deprecated. Vendor has declared end of life for this product. No available replacement. |
| Detonate URL - ThreatGrid | Detonate one or more URLs using the Threat Grid integration. This playbook returns relevant reports to the War Room and URL reputations to the context data. |
| Detonate URL - ThreatStream | Detonates one or more URLs using the Anomali ThreatStream v2 sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data. |
| Detonate URL - VMRay | Detonates a URL using the VMRay sandbox integration. |
| Detonate URL - WildFire-v2 | Detonate a webpage or a remote file using the WildFire integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, OOXLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z |
| Digital Defense FrontlineVM - Old Vulnerabilities Found | This will query Frontline.Cloud's active view for any critical level vulnerabilities found to be older than 90 days. |
| Digital Defense FrontlineVM - PAN-OS block assets | This playbook will pull Panorama queried threat logs and check for any correlating assets that are found to have a minimum of high level vulnerabilities. If so, it will block the the IP using Panorama's PAN-OS - Block IP and URL - External Dynamic List playbook. |
| Digital Defense FrontlineVM - Scan Asset Not Recently Scanned | This playbook will pull the IP address from the details value of an incident and check if that asset has been scanned within the past 60 days. If not then it will prompt to perform a scan on the asset. |
| Digital Guardian Demo Playbook | This playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a DG Watchlist. |
| Digital Shadows - CVE_IoC Assessment & Enrichment | Enrichment of CVE IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - Domain Alert Intelligence (Automated) | Provides intelligence and reputation outputs based on the most recent Impersonating Domain, Subdomain or Phishing URL reported by Digital Shadows SearchLight. |
| Digital Shadows - Domain_IoC Assessment & Enrichment | Enrichment of Domain IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - IoC Assessment & Enrichment | Enrich indicators by providing intelligence and more associated indicators based on confirmed reporting in Digital Shadows SearchLight. |
| Digital Shadows - IP_IoC Assessment & Enrichment | Enrichment of IP IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - MD5_IoC Assessment & Enrichment | Enrichment of MD5 IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - SHA1_IoC Assessment & Enrichment | Enrichment of SHA1 IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - SHA256_IoC Assessment & Enrichment | Enrichment of SHA256 IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| Digital Shadows - URL_IoC Assessment & Enrichment | Enrichment of URL IOC types - sub-playbook for IOC Assessment & Enrichment playbook |
| DLP Incident Feedback Loop | Collects feedback from user about blocked files. |
| Domain Enrichment - Generic | Deprecated. Use "Domain Enrichment - Generic v2" playbook instead. Enrich Domain using one or more integrations. Domain enrichment includes: Domain reputation Threat information |
| Domain Enrichment - Generic v2 | Enrich domains using one or more integrations. Domain enrichment includes: * Threat information |
| Domain Enrichment - RST Threat Feed | Enrich domains using RST Threat Feed integration |
| Druva-Ransomware-Response | Automate response actions like quarantining effected resources or snapshots to stop the spread of ransomware and avoid reinfection or contamination spread. |
| DSAR Inventa Handler | Handling DSAR requests |
| Email Address Enrichment - Generic | Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Get email address reputation using one or more integrations |
| Email Address Enrichment - Generic v2 | Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Enrich email addresses. Email address enrichment involves: - Getting information from Active Directory for internal addresses - Getting the domain-squatting reputation for external addresses |
| Email Address Enrichment - Generic v2.1 | Enrich email addresses. - Get information from Active Directory for internal addresses - Get the domain-squatting reputation for external addresses |
| Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers: - Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score). - CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM. |
| Employee Offboarding - Delegate | This playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook. |
| Employee Offboarding - Gather User Information | This playbook gathers user information as part of the IT - Employee Offboarding playbook. |
| Employee Offboarding - Retain & Delete | This playbook playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook. |
| Employee Offboarding - Revoke Permissions | This playbook revokes user permissions as part of the IT - Employee Offboarding playbook. |
| Employee Status Survey | Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Manages a crisis event where employees have to work remotely due to a pandemic, issues with the workplace or similar situations. Sends a questionnaire to all direct reports under a given manager. The questionnaire asks the employees for their health status and whether they need any help. The data is saved as employee indicators in Cortex XSOAR, while IT and HR incidents are created to provide assistance to employees who requested it. The questionnaire expires after 24 hours by default, and during that time the responses are processed every 5 minutes. These settings can be edited via the task that sends the questionnaire and the loop settings of the Continuously Process Survey Responses playbook, respectively. |
| Endace Search Archive and Download | Deprecated. No available replacement. This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows. |
| Endace Search Archive Download PCAP | Deprecated. This playbook has been deprecated. Use Endace Search Archive Download\ \ PCAP v2 instead. This playbook uses Endace APIs to search, archive and download\ \ PCAP file from either a single EndaceProbe or many via the InvestigationManager.\ \ The workflow accepts inputs like “the date and time of the incident or a\ \ timeframe”, “source or destination IP address of the incident”, “source or destination\ \ IP port of the incident”, “protocol of the incident” and name of archive file.\ \ \nThe Workflow in this playbook - \n1. Finds the packet history related to the\ \ search items. Multiple Search Items in an argument field are OR'd. Search Items\ \ between multiple arguments are AND'd. \n2. A successful Search is followed by\ \ an auto archival process of matching packets on EndaceProbe which can be accessed\ \ from an investigation link on the Evidence Board and/or War Room board that can\ \ be used to start forensic analysis of the packets history on EndaceProbe.\n3.\ \ Finally Download the archived PCAP file to XSOAR system provided the file size\ \ is less than a user defined threshold say 10MB. Files greater than 10MB can be\ \ accessed or analyzed on EndaceProbe via \"Download PCAP link\" or \"Endace PivotToVision\ \ link\" displayed on Evidence Board.\n |
| Endace Search Archive Download PCAP v2 | This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like “the date and time of the incident or a timeframe”, “source or destination IP address of the incident”, “source or destination IP port of the incident”, “protocol of the incident” and name of archive file. Required Inputs - Either timeframe or start and timeframe or end and timeframe or start and end fields. Either src_host_list or dest_host_list or ip fields. Either src_port_list or dest_port_list or port fields. archive_filename field is required delete_archive field is required download_threshold field is required The Workflow in this playbook : 1. Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd. 2. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe. 3. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board. |
| Endpoint data collection | Deprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available. |
| Endpoint Enrichment - Cylance Protect v2 | Enriches endpoints using the Cylance Protect v2 integration. |
| Endpoint Enrichment - Generic | Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an Endpoint Hostname using one or more integrations |
| Endpoint Enrichment - Generic v2 | Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an endpoint by hostname using one or more integrations. Currently, the following integrations are supported: - Active Directory - McAfee ePolicy Orchestrator - Carbon Black Enterprise Response - Cylance Protect - CrowdStrike Falcon Host |
| Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations. Supported integrations: - Active Directory Query v2 - McAfee ePolicy Orchestrator - Carbon Black Enterprise Response v2 - Cylance Protect v2 - CrowdStrike Falcon Host - ExtraHop Reveal(x) |
| Endpoint Enrichment - XM Cyber | Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more |
| Endpoint Investigation Plan | This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Endpoint Malware Investigation - Generic | Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook is triggered by a malware incident from an 'Endpoint' type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. Used sub-playbooks: - Endpoint Enrichment - Generic v2.1 - Retrieve File from Endpoint - Generic - Detonate File - Generic - File Enrichment - Generic v2 - Calculate Severity - Generic v2 - Isolate Endpoint - Generic - Block Indicators - Generic v2 |
| Endpoint Malware Investigation - Generic V2 | Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type. To use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs. |
| Enrich DXL with ATD verdict | Deprecated. Use "Enrich DXL with ATD verdict v2" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL. Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL. |
| Enrich DXL with ATD verdict v2 | Uses McAfee ATD to push any malicious verdicts over DXL. Detonates a file in ATD and if malicious, pushes its MD5, SHA1 and SHA256 hashes to McAfee DXL. |
| Enrich Incident With Asset Details - RiskIQ Digital Footprint | Enriches the incident with asset details, and enriches the asset with the incident URL on the RiskIQ Digital Footprint platform. This playbook also sends an email containing the owner's information to the primary or secondary contact of the asset and provides the user with an opportunity to update or remove the asset. Supported integration: - RiskIQ Digital Footprint |
| Enrich McAfee DXL using 3rd party sandbox | Deprecated. Use "Enrich McAfee DXL using 3rd party sandbox v2" playbook instead. Example of bridging DXL to a third party sandbox. Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL. |
| Enrich McAfee DXL using 3rd party sandbox v2 | Example of bridging DXL to a third party sandbox. Detonate a file in 3rd party sandbox and if malicious, push its MD5, SHA1 and SHA256 hashes to McAfee DXL. |
| Enrichment for Verdict | This playbook checks prior alert closing reasons and performs enrichment on different IOC types. It then returns the information needed to establish the alert's verdict. |
| Entity Enrichment - Generic | Deprecated. Use "Entity Enrichment - Generic v3" playbook instead. Enrich entities using one or more integrations |
| Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
| Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
| Entity Enrichment - Phishing v2 | Enrich entities using one or more integrations |
| Eradication Plan | This playbook handles all the eradication actions available with Cortex XSIAM, including the following tasks: Reset user password Delete file * Kill process (currently, the playbook supports terminating a process by name) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Exchange 2016 Search and Delete | Run a compliance search in Exchange Server 2016, and delete the results. |
| Expanse Attribution | Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes. |
| Expanse Behavior Severity Update | Deprecated. Use Xpanse Incident Handling - Generic instead. |
| Expanse Enrich Cloud Assets | Subplaybook for Handle Expanse Incident playbooks. This Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by: - Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled). - Searching IPs and FQDNs in Prisma Cloud inventory (requires Prisma Cloud). |
| Expanse Find Cloud IP Address Region and Service | Subplaybook for Expanse Enrich Cloud Assets subplaybook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud feeds (i.e. AWS Feed) in XSOAR. CIDR Indicators must be tagged properly using the corresponding tags (i.e. AWS for AWS Feed): tags can be configured in the Feed Integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e. smaller CIDR such as /20 range wins over a bigger one such as /16). |
| Expanse Load-Create List | Sub-playbook to support Expanse Handle Incident playbook. Loads a list to be used in the Expanse playbook. Creates the list if it does not exist. |
| Expanse Unmanaged Cloud | Subplaybook for bringing rogue cloud accounts under management. |
| Expanse VM Enrich | This Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by: - Searching the IP and / or domain of the identified Expanse asset in the vulnerability management tool This playbook expects an incident with an IP or a Domain to exist in the context. |
| Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration | This playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to ServiceNow. |
| Export Single Asset to SIEM - PANW IoT 3rd Party Integration | This playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to your SIEM. |
| Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration | This playbook to handles incidents triggered in the PANW IoT (Zingbox) UI by sending the vulnerability to ServiceNow. |
| Extract and Create Relationships | Extract and enrich indicators |
| Extract and Enrich Expanse Indicators | Subplaybook for Handle Expanse Incident playbooks. Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents. Enrichment is performed via enrichIndicators command and generic playbooks. Returns the enriched indicators. |
| Extract Indicators - Generic | Deprecated. We recommend using extractIndicators command instead. Extract indicators from input data. |
| Extract Indicators From File - Generic | Deprecated. Use the "Extract Indicators From File - Generic v2" playbook instead.\ \ Extracts indicators from a file. Supported file types: - TXT - HTM, HTML - DOC, DOCX |
| Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file. Supported file types: - CSV - TXT - HTM, HTML - DOC, DOCX - PPT - PPTX - RTF - XLS - XLSX - XML |
| ExtraHop - CVE-2019-0708 (BlueKeep) | This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS - Disable Remote Desktop Services if they are not required - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 - Configure firewalls to block traffic on TCP port 3389 |
| ExtraHop - Default | Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection. |
| ExtraHop - Get Peers by Host | Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships. |
| ExtraHop - Ticket Tracking | Deprecated. Use the "ExtraHop - Ticket Tracking v2" playbook instead.\ \ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. |
| ExtraHop - Ticket Tracking v2 | Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. |
| Failed Login Playbook - Slack v2 | Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD. |
| FalconX Detonate and Analyze File | This playbook uploads, detonates, and analyzes files for the Falcon X sandbox. |
| Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
| File Enrichment - File reputation | Get file reputation using one or more integrations |
| File Enrichment - Generic | Deprecated. Use "File Enrichment - Generic v2" playbook instead. Enrich a file using one or more integrations. File enrichment includes: File history Threat information * File reputation |
| File Enrichment - Generic v2 | Enrich a file using one or more integrations. - Provide threat information |
| File Enrichment - RST Threat Feed | Enrich File hashes using RST Threat Feed integrations |
| File Enrichment - Virus Total Private API | Get file information using the Virus Total Private API integration. |
| File Enrichment - VMRay | Get file information using the VMRay integration. |
| File Reputation | This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components: VirusTotal detection rate Digital certificate signers * NSRL DB Note: a user can provide a list of trusted signers of his own using the playbook inputs |
| File Reputation - ReversingLabs TitaniumCloud | Provides file reputation data for a file (malicious, suspicious, known good or unknown). Required TitaniumCloud API rights: TCA-0101 |
| FireEye Helix Archive Search | Create an archive search in FireEye Helix, and fetch the results as events. |
| FireEye HX - Isolate Endpoint | This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook. |
| FireEye HX - Unisolate Endpoint | This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input. |
| FireEye Red Team Tools Investigation and Response | This playbook does the following: Collect indicators to aid in your threat hunting process. - Retrieve IOCs of FireEye red team tools. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators - Search endpoints with the FireEye red team tools CVEs. - Search endpoint logs for FireEye red team tools hashes. - Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. |
| FireMon Create Policy Planner Ticket | Creates a new Policy Planner Ticket for PolicyPlanner in FMOS box. |
| FireMon Pre Change Assessment | Validates and Return Pre Changes Assessment on Rules added as Requirement. |
| Forensics Tools Analysis | This playbook allows the user to analyze forensic evidence acquired from a host, such as registry files and PCAP files. |
| FortiSandbox - Loop for Job Submissions | Playbook used to retrieve job id for submissions of fortisandbox using the submission id. |
| FortiSandbox - Loop For Job Verdict | Playbook used to retrieve the verdict for a specific job id for a sample submitted to FortiSandbox |
| FortiSandbox - Upload Multiple Files | Playbook used to upload files to FortiSandbox |
| GDPR Breach Notification | This playbook triggers by a GDPR breach incident, and then performs the required tasks that are detailed in GDPR Article 33. The General Data Protection Regulation (the GDPR) is a regulation in EU law on data protection and privacy of individuals. The GDPR introduces the requirement for a personal data breach to be notified to the competent national supervisory authority and in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. ***Disclaimer: This playbook does not ensure compliance to the GDPR regulation. Before using this playbook, we advise consulting with the relevant authority, and adjusting it to the organization's needs. |
| GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: 1. Initiate the operation. 2. Poll to check if the operation completed. 3. (optional) Get the results of the operation. |
| GenericPolling-FortiSIEM | This playbook executes a search query to retrieve FortiSIEM Events. |
| Get Email From Email Gateway - FireEye | This playbook retrieves a specified EML/MSG file directly from FireEye Email Security or Central Management. |
| Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
| Get Email From Email Gateway - Mimecast | This playbook retrieves a specified EML/MSG file directly from Mimecast. |
| Get Email From Email Gateway - Proofpoint Protection Server | This playbook retrieves a specified EML/MSG file directly from the Proofpoint Protection Server. |
| Get endpoint details - Generic | This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: - Palo Alto Networks Cortex XDR - Investigation and Response. - CrowdStrike Falcon. |
| Get File Sample By Hash - Carbon Black Enterprise Response | Returns to the war-room a file sample correlating to MD5 hashes in the input using Carbon Black Enterprise Response integration |
| Get File Sample By Hash - Cylance Protect | Deprecated. Use "Get File Sample By Hash - Cylance Protect v2" playbook instead. |
| Get File Sample By Hash - Cylance Protect v2 | This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration. |
| Get File Sample By Hash - Generic | Deprecated. Use "Get File Sample By Hash - Generic v2" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products |
| Get File Sample By Hash - Generic v2 | This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: - Get File Sample By Hash - Carbon Black Enterprise Response - Get File Sample By Hash - Cylance Protect v2 |
| Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: - Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. - Get the threat (file) attached to a specific SHA256 hash - Cylance Protect v2. |
| Get File Sample From Path - Carbon Black Enterprise Response | Returns a file sample to the war-room from a path on an endpoint using Carbon Black Enterprise Response |
| Get File Sample From Path - D2 | Returns a file sample to the war-room from a path on an endpoint using Demisto Dissolvable Agent (D2) Input: Credentials - credentials to use when trying to deploy Demisto Dissolvable Agent (D2) (default: Admin) ${Endpoint.Hostname} - deploy agent on target endpoint * ${File.Path} - file's path to collect |
| Get File Sample From Path - Generic | Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: * UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False) |
| Get File Sample From Path - Generic V2 | This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API). |
| Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks: 1) PS Remote Get File Sample From Path. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API). |
| Get File Sample From Path - VMware Carbon Black EDR - Live Response API | This playbook retrieves a file from a path on an endpoint using VMware Carbon Black EDR (Live Response API). Make sure to provide the Carbon Black sensor ID of the endpoint from which you want to retrieve the file. |
| Get host forensics - Generic | This playbook retrieves forensics from hosts for the following integrations: - Illusive Networks - Microsoft Defender For Endpoint |
| Get Original Email - EWS | This playbook retrieves the original email in a thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. Note:\ You must have the necessary eDiscovery permissions in the EWS integration to execute a global search. |
| Get Original Email - EWS v2 | This v2 playbook retrieves the original email in a thread as an EML file (and not an email object as in the previous version) by using the EWS v2 or EWSO365 integration. It also reduces the number of tasks to perform the fetch action. Note: You must have the necessary eDiscovery permissions in the EWS integration to execute a global search. |
| Get Original Email - Generic | Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your email service to execute global search. - EWS: eDiscovery - Gmail: Google Apps Domain-Wide Delegation of Authority |
| Get Original Email - Generic v2 | This v2 playbook is used inside the phishing flow. The inputs in this version do not use labels and also allow the user to supply an email brand. Note: You must have the necessary permissions in your email service to execute a global search. To retrieve the email files directly from the email service providers, use one of the provided inputs (Agari Phishing Defense customers should also use the following): - EWS: eDiscovery - Gmail: Google Apps Domain-Wide Delegation of Authority - MSGraph: As described in the message-get API and the user-list-messages API - EmailSecurityGateway retrieves EML files from: FireEye EX FireEye CM Proofpoint Protection Server Mimecast |
| Get Original Email - Gmail | Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority |
| Get Original Email - Gmail v2 | This v2 playbook uses the reporter's email headers to retrieve the original email. This decreases the number of tasks to retrieve the original email. Use this playbook to retrieve the original email using the Gmail integration, including headers and attachments. Note: You must have the necessary Google Apps Domain-Wide Delegation of Authority permissions in your Gmail service to execute global search. |
| Get Original Email - Microsoft Graph Mail | This playbook retrieves the original email using the Microsoft Graph Mail integration. Note: You must have the necessary permissions in the Microsoft Graph Mail integration as described in the message-get API and the user-list-messages API |
| Get RaDark Detailed Items | Enriches RaDark incident with detailed items. |
| Get the binary file from Carbon Black by its MD5 hash | This playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data. |
| Google Vault - Display Results | This is a playbook for queuing and displaying vault search result |
| Google Vault - Search Drive | This is a playbook for performing Google Vault search in Drive accounts and display the results. |
| Google Vault - Search Groups | This is a playbook for performing Google Vault search in Groups and display the results. |
| Google Vault - Search Mail | This is a playbook for performing Google Vault search in Mail accounts and display the results. |
| HAFNIUM - Exchange 0-day exploits | This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ |
| Handle Darktrace Model Breach | Handles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and giving the ability to acknowledge the model breach and close the incident. |
| Handle Expanse Incident | Main Playbook to Handle Expanse Incidents. There are several phases: 1. Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: - Firewall logs from Cortex Data Lake, Panorama, and Splunk. - User information from Active Directory. - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and service (i.e., us-west-1 on AWS EC2). - IP and FQDN from Prisma Cloud inventory. 3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the company). 4. Attribution: based on the information collected above, the analyst is prompted to assign this issue to an Organization Unit, which is a group within the company with a specific owner. The analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one. 5. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as: - Tagging the asset in Expanse with a specific Organization Unit tag. - Blocking the service on PAN-OS (if a firewall is deployed in front of the service). - Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it) - Adding the service to a Vulnerability Management system - Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory) - Bringing rogue cloud accounts under management |
| Handle Expanse Incident - Attribution Only | Shorter version of Handle Expanse Incident playbook with only the Attribution part. There are several phases: 1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: - Firewall logs from Cortex Data Lake, Panorama and Splunk - User information from Active Directory - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2) - IP and FQDN from Prisma Cloud inventory 3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company). 4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one. |
| Handle False Positive Alerts | This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs. |
| Handle Hello World Alert | This is a playbook which will handle the alerts coming from the Hello World service |
| Handle Hello World Premium Alert | This is a playbook which will handle the alerts coming from the Hello World Premium service |
| Handle Shadow IT Incident | This Playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found. This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process. |
| Handle TD events | Playbook to enrich TD events |
| Health Check - Collect Log Bundle | Collect Log bundle and parse data Holding the default Thresholds: { "LargeInvestigations": { "numberofincidentswithmorethan500entries": 300, "numberofincidentsbiggerthan10mb": 1, "numberofincidentsbiggerthan1mb": 300 }, "LargeInputsOutputs": { "numberofincidentsIObiggerthan10mb": 1, "numberofincidentsIObiggerthan1mb": 10 }, "Indicators": { "relatedIndicatorCount": 100 }, "CPU": { "CPUHighUsage": 90, "CPULowUsage": 30, "CPUMediumUsage": 70 }, "Disk": { "DiskUsageHigh": 90, "DiskUsageMedium": 80, "DiskUsageLow": 70, "DiskUsageDailyIncrease": 2 }, "Docker": { "DockerContainerCPUUsage": 10, "DockerContainerRAMUsage": 10 }, "DB": { "FSPartitionsMedium": 12, "FSPartitionsLow": 6 }, "Playbooks": { "CustomPlaybookLength": 30, "CustomPlaybookSetIncidentCount": 4, "CustomPlaybookDeprecatedScriptIds": [ "Sleep", "EmailAskUser" ] }, "Incidents": { "NumberOfDroppedIncidents": 2000 } } |
| Health Check - Log Analysis Read All files | Parse files from log bundle output |
| HealthCheck | New version for HealthCheck main playbook |
| HelloWorld Scan | This Playbook simulates a vulnerability scan using the "HelloWorld" sample integration. It's used to demonstrate how to use the GenericPolling mechanism to run jobs that take several seconds or minutes to complete. It is designed to be used as a subplaybook, but you can also use it as a standalone playbook, by providing the ${Endpoint.Hostname} input in the Context. Other inputs include the report output format (JSON context or File attached), and the Interval/Timeouts to use for polling the scan status until it's complete. |
| HelloWorldPremium_Scan | This Playbook simulates a vulnerability scan using the "HelloWorld" sample integration. It's used to demonstrate how to use the GenericPolling mechanism to run jobs that take several seconds or minutes to complete. It is designed to be used as a subplaybook, but you can also use it as a standalone playbook, by providing the ${Endpoint.Hostname} input in the Context. Other inputs include the report output format (JSON context or File attached), and the Interval/Timeouts to use for polling the scan status until it's complete. |
| HIPAA - Breach Notification | USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI). The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services. This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. ** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html |
| Hostname And IP Address Investigation And Remediation - Chronicle | This playbook receives ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities. |
| Humio QueryJob Poll | Run and poll a Humio Query Job |
| Hunt Extracted Hashes | Deprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\ \ files using regular expressions and then hunts for hashes on endpoints in the organization\ \ using available tools.\nThe playbook supports multiple types of attachments. For\ \ the full supported attachments list, refer to \"Extract Indicators From\ \ File - Generic v2\". |
| Hunt Extracted Hashes V2 | This playbook extracts IOCs from the incident details and attached files using regular expressions and then hunts for hashes on endpoints in the organization using available tools. The playbook supports multiple types of attachments. For the full supported attachments list, refer to "Extract Indicators From File - Generic v2". |
| Hunt for bad IOCs | Deprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools. |
| Hunting C&C Communication Playbook | Deprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications. |
| Hurukai - Add indicators to HarfangLab EDR | This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking. |
| Hurukai - Alert management | Manager security events from HarfangLab EDR |
| Hurukai - Get All Artifacts | Build a global archive with: - MFT (Windows) - Hives (Windows) - USN logs (Windows) - Prefetch files (Windows) - EVT/EVTX files (Windows) - Log files (Linux) - Filesystem content (Linux) |
| Hurukai - Get Artifact Evtx | Get Evt/evtx log files |
| Hurukai - Get Artifact Filesystem | Get a CSV list of files in a Linux filesystem |
| Hurukai - Get Artifact Hives | Get the RAW hives |
| Hurukai - Get Artifact Logs | Get all the log files |
| Hurukai - Get Artifact MFT | Get the raw MFT |
| Hurukai - Get Artifact RAM Dump | Get a RAM dump from Windows and Linux endpoints. |
| Hurukai - Get Driver List | Get the list of loaded drivers |
| Hurukai - Get Network Connection List | Get the list of active network connections |
| Hurukai - Get Network Share List | Get the list of network shares |
| Hurukai - Get Persistence List | Get the list of persistence means |
| Hurukai - Get Pipe List | Get the list of named pipes |
| Hurukai - Get Prefetch List | Get the list of prefetch files |
| Hurukai - Get Process List | Get the list of processes |
| Hurukai - Get Runkey List | Get the list of RUN keys |
| Hurukai - Get Scheduled Task List | Get the list of scheduled tasks |
| Hurukai - Get Service List | Get the list of services |
| Hurukai - Get Session List | Get the list of active sessions |
| Hurukai - Get Startup List | Get the list of startup files |
| Hurukai - Get WMI List | Get the list of WMI items |
| Hurukai - Hunt IOCs | This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source. |
| Hurukai - Process Indicators - Manual Review | This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B". |
| Hybrid-analysis quick-scan | Use this playbook to run quick-scan command with generic-polling |
| IAM - Activate User In Active Directory | This playbook activates users in Active Directory. It generates a password, sets the account with the new password, and enables the account. Additionally, it sends out an email to the email provided in the "ITNotificationEmail" input which includes the new user’s temporary password for preparing new hires’ environments. |
| IAM - App Sync | Syncs users to apps from which the user was added or removed. The playbook utilizes the "IAM Configuration" incident type to determine which integration instance the command needs to execute in. It creates or disables the user according to the fetched event type, tracks errors if there are any, and assigns an analyst to review the incident when needed. |
| IAM - App Update | Syncs user information in the apps to which they are assigned in Okta. The playbook utilizes the "IAM Configuration" incident type to determine which integration instance the update needs to execute in. In addition it tracks errors if there are any, and assigns an analyst to review the incident when needed. |
| IAM - Configuration | As the default playbook for the "IAM - Configuration" incident type, when an "IAM - Configuration" incident is created this playbook runs automatically and closes any previous incidents of the same type. |
| IAM - Create User In Active Directory | This playbook creates and initializes new users in Active Directory. |
| IAM - Custom Post-provisioning | Use this playbook to add custom post-provisioning steps to your sync process. |
| IAM - Custom Pre-provisioning | Use this playbook to add custom pre-provisioning steps to your sync process. |
| IAM - Custom User Sync | Use this playbook to add custom steps to your sync process. |
| IAM - Deactivate User In Active Directory | This playbook deactivates users in Active Directory. |
| IAM - Group Membership Update | Updates user permissions in apps according to their group memberships in Okta. |
| IAM - New Hire | This playbook creates users across all available organization applications from new hire events fetched from Workday. |
| IAM - Rehire User | This playbook set a user's status in the organization to rehired by updating the incident information and User Profile indicator with values indicating a rehire, and enabling the account in the supported apps. |
| IAM - Send Failed Instances Notification | Sends notifications about applications where provisioning failed. |
| IAM - Send Provisioning Notification Email | Sends emails for successful application provisionings. Uses the app-provisioning-settings list. |
| IAM - Sync User | This playbook runs on fetched Workday events. The events are changes to employee data, which in turn require a CRUD operation across your organization's apps. The playbook examines the data received from Workday, and provisions the changes in a User Profile indicator in Cortex XSOAR as well as all the supported IAM integrations that are active. |
| IAM - Terminate User | This playbook sets the user status to terminated in the organization by updating the incident information and User Profile indicator with values indicating termination, and disabling the account in the supported apps. |
| IAM - Test Instances | This playbook is used to test configured Identity Lifecycle Management integration instances by executing generic CRUD commands. If one of the instances fails to execute a command, the playbook will fail and the errors are printed to the Print Errors task at the end of the playbook. |
| IAM - Update User | This playbook updates users in the organization by updating the incident information and User Profile indicator with the updated values, and updating the account in the supported apps. with the new information. |
| Illinois - Breach Notification | This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to Illinois law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf |
| Illusive - Data Enrichment | This playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data |
| Illusive - Incident Escalation | This playbook is used for creating an automatic analysis of the Illusive's incident details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions. |
| Illusive-Collect-Forensics-On-Demand | This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection. |
| Illusive-Retrieve-Incident | This playbook is used for retrieving an extensive view over a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected. |
| Impossible Traveler | This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts. The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so. |
| Impossible Traveler - Enrichment | This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following: Geo location Active Directory * IP enrichment e.g. VirusTotal, AbuseIPDB, etc. |
| Impossible Traveler Response | This playbook handles impossible traveler alerts. An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised. Attacker's Goals: Gain user-account credentials. Investigative Actions: Investigate the IP addresses and identities involved in the detected activity using: Impossible Traveler - Enrichment playbook CalculateGeoDistance automation Response Actions The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute: Manual block indicators if the IP address found malicious Manual disable user Manual clear of the user’s sessions (Okta) When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes: Auto block indicators External Resources: Impossible traveler alert |
| Incident Postprocessing - Group-IB Threat Intelligence & Attribution | Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident. |
| Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration | Playbook to be run every 15 minutes via a job. Each run will get incremental updates for devices to send to ServiceNow server. |
| Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration | Playbook to be run every 15 minutes via a job. Each run will get incremental updates for devices, and will update or create new endpoints in Cisco ISE with PANW IOT discovered attributes (ISE custom attributes). |
| Incremental Export to SIEM - PANW IoT 3rd Party Integration | This playbook should be run as a job at an interval of every 15 minutes. Each run will get incremental updates for devices, alerts, and vulnerabilities and send CEF syslogs to the configured SIEM server. |
| Indicator Enrichment - Qintel | Enriches indicators from Qintel products |
| Indicator Pivoting - DomainTools Iris | Pivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address. |
| Integrations and Incidents Health Check - Running Scripts | This playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for running failed integrations and failed incidents scripts. The playbook may run separately from the main playbook to run health tests on enabled integrations and open incidents. |
| Intezer - Analyze by hash | Analyze the given file hash on Intezer Analyze and enrich the file reputation. Supports SHA256, SHA1, and MD5. |
| Intezer - Analyze Uploaded file | Upload a file to Intezer Analyze to analyze and enrich the file reputation. (up to 150 MB) |
| Intezer - scan host | Uses Demisto D2 agent to scan a host using Intezer scanner. Input: Hostname (default: ${Endpoint.Hostname}) OS (default: windows) * Credentials (default: Admin) |
| Investigate On Bad Domain Matches - Chronicle | Use this playbook to investigate and remediate Bad IOC domain matches with recent activity found in the enterprise, as well as notify the SOC lead and network team about the matches. Supported Integrations: - Chronicle - Whois - Mail Sender (New) - Palo Alto Networks PAN-OS - Palo Alto Networks AutoFocus v2 |
| IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information - Separate internal and external addresses |
| IP Enrichment - External - RST Threat Feed | Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information - Separate internal and external addresses |
| IP Enrichment - Generic | Deprecated. Enrich IP using one or more integrations. IP enrichment includes: Resolve IP to Hostname (DNS) Threat information Separate internal and external addresses IP reputation * For internal addresses, get host information |
| IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information - Separate internal and external IP addresses - For internal IP addresses, get host information |
| IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations. - Resolve IP address to hostname (DNS) - Separate internal and external IP addresses - Get host information for IP addresses |
| IP Enrichment - XM Cyber | Enrich IP addresses using XM Cyber integration. - Resolve IP address to entity - Get entity information for IP addresses regarding impact on critical assets and complexity of compromise |
| IP Reputation-GreyNoise | Playbook for the ip reputation command |
| IP Whitelist - AWS Security Group | Sync a list of IP addresses to an AWS Security Group. |
| IP Whitelist - GCP Firewall | Set a list of IP addresses in GCP firewall. |
| IP Whitelist And Exclusion - RiskIQ Digital Footprint | Adds the IP Address(es) to allow list after checking if it should be added to allow list according to the user inputs provided. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag. |
| IQ-HUB Automation | This playbook is used to retrieve real-time detections and progressions data generated by events on different systems present in the network. |
| Ironscales-Classify-Incident | Classify an Ironscales incident |
| Isolate Endpoint - Cybereason | This playbook isolates an endpoint based on the hostname provided. |
| Isolate Endpoint - Generic | This playbook isolates a given endpoint using the following integrations: - Carbon Black Enterprise Response - Palo Alto Networks Traps |
| Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using. |
| IT - Employee Offboarding | This playbook offboards company employees to maintain organizational security and prevent abuse of company resources. It streamlines the process of returning company property, delegates resources to the employee's manager, retains important data that is in possession of the employee, and deletes the user and user information if chosen to do so. |
| IT - Employee Offboarding - Manual | This playbook provides a manual alternative to the IT - Employee Offboarding playbook. The playbook guides the user in the process of manually offboarding an employee. |
| Jira Change Management | If you are using PAN-OS/Panorama firewall and Jira as a ticketing system, this playbook will be a perfect match for your change management for firewall process. This playbook is triggered by afetch from Jira and will help you manage and automate your change management process. |
| Jira Ticket State Polling | Use Jira Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the Jira ticket state is either resolved or closed. This playbook implements polling by continuously running the jira-get-issue command until the state is either resolved or closed. |
| JOB - Cortex XDR query endpoint device control violations | A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly: 1. Create a new recurring job. 2. Configure the recurring schedule. 3. Add a name. 4. Configure the type to XDR Device Control Violations. 5. Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well. |
| JOB - Integrations and Incidents Health Check | You should run this playbook as a scheduled job. The playbook checks the health of all enabled integrations and open incidents. |
| JOB - Integrations and Incidents Health Check - Lists handling | This playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for creating or updating related XSOAR lists. |
| JOB - PANW NGFW TS Agent Cleanup | Run this playbook as a job to cleanup disconnected TS Agents |
| JOB - Popular News | Playbook can be run ad-hoc or as a Job to fetch results from Popular News sites |
| JOB - XSOAR - Export Selected Custom Content | This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content. Then you can import this new zip on the other XSOAR server. Create a Job with the Type “XSOAR Dev to Prod”, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs |
| JOB - XSOAR - Simple Dev to Prod | This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content. You can import this new zip on the other XSOAR server, or push it to production using the Demisto REST API integration. Please ensure to read the setup instructions for this pack carefully. Create a Job with the Type “XSOAR Dev to Prod”, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs |
| Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack | On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| Launch And Fetch Compliance Policy Report - Qualys | Launches a compliance policy report and then fetches the report when it's ready. |
| Launch And Fetch Compliance Report - Qualys | Launches a compliance report and fetches the report when it's ready. |
| Launch And Fetch Host Based Findings Report - Qualys | Launches a host based report and fetches the report when it's ready. |
| Launch And Fetch Map Report - Qualys | Launches a map scan report and fetches the report when it's ready. |
| Launch And Fetch Patch Report - Qualys | Launches a patch report and fetches the report when it's ready. |
| Launch And Fetch PC Scan - Qualys | Launches a PC scan and fetches the scan when it's ready. |
| Launch And Fetch Remediation Report - Qualys | Launches a remediation report and fetches the report when it's ready. |
| Launch And Fetch Scan Based Findings Report - Qualys | Launches a scan based report and fetcesh the report when it's ready. |
| Launch And Fetch Scheduled Report - Qualys | Launches a scheduled report and fetches the report when it's ready. |
| Launch And Fetch VM Scan - Qualys | Launches a scan and fetches the scan when it's ready. |
| Launch Scan - Tenable.sc | Launches an existing Tenable.sc scan by scan ID and waits for the scan to finish by polling its status in pre-defined intervals. |
| List Cisco Stealthwatch Security Events | This playbook lists security events and returns the results to the context. |
| List Device Events - Chronicle | This playbook receives ChronicleAsset identifier information and provides a list of events related to each one of them. Supported integration: - Chronicle |
| Local Analysis alert Investigation | When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion * Manual reset of the user’s password External resources: Malware Protection Flow |
| LogPoint SIEM Playbook | LogPoint SIEM Playbook guides users on use cases like blocking IP and domain and disabling users using products like CheckPoint Firewall, Active Directory, and VirusTotal. The actions depicted in the playbook helps analysts create their playbooks based on actual requirements and products deployed. (Available from Cortex XSOAR 6.0.0). |
| Logrhythm - Search query | This playbook used generic polling to gets query result using the command: lr-execute-search-query |
| LogRhythmRestV2 - Search query | This playbook used generic polling to get query results using the command: lr-execute-search-query. |
| Logz.Io Handle Alert | Handles a Logz.io Alert by retrieving the events that generated it. |
| Logz.io Indicator Hunting | This playbook queries Logz.io in order to hunt indicators such as File Hashes IP Addresses Domains \ URLS And outputs the related users, IP addresses, host names for the indicators searched. |
| Lost / Stolen Device Playbook | This manual playbook handles an incident for a lost or stolen device. It guides the analyst through various steps to validate the type of device and its contents, and the required steps for response and remediation. Initial incident details should be the name of the reporting person or ID of the SIEM alert/incident, and description of the lost device. |
| LSASS Credential Dumpin | This playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers. |
| Malware Investigation & Response Incident Handler | This playbook is triggered by a malware incident from an endpoint integration. It performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and EDR integrations grab all additional data. Currently supported EDR integrations are XDR, CrowdStrike Falcon and Microsoft Defender for Endpoint. Currently supported SIEM integrations are QRadar and Splunk. |
| Malware Investigation - Generic | Deprecated. Use "Endpoint Malware Investigation - Generic" playbook instead. Investigate a malware using one or more integrations |
| Malware Investigation - Generic - Setup | Deprecated. Verify file sample and hostname information for the "Malware Investigation - Generic" playbook. If the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations |
| Malware Investigation - Manual | Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') Master playbook for investigating suspected malware presence on an endpoint. Labels: - System: the hostname for the endpoint being investigated |
| Malware Investigation and Response - Set Alerts Grid | This playbook sets the alert grid for the Malware Investigation & Response layout. |
| Malware Playbook - Manual | Deprecated. Use "Malware Investigation - Manual" playbook instead. Master playbook for investigating suspected malware presence on an endpoint. Labels: - System: the hostname for the endpoint being investigated |
| Malware SIEM Ingestion - Get Incident Data | This playbook handles incident ingestion from the SIEM. The user provides which EDR system to use, the field containing the incident ID or detection ID, and the field indicating whether the ingested item is an incident or detection. |
| MAR - Endpoint data collection | Use McAfee Active Response to collect data from an endpoint for IR purposes (requires ePO as well). Input: * Hostname (Default: ${Endpoint.Hostname}) |
| McAfee ePO Endpoint Compliance Playbook | Deprecated. Use "McAfee ePO Endpoint Compliance Playbook v2" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures |
| McAfee ePO Endpoint Compliance Playbook v2 | Discover endpoints that are not using the latest McAfee AV signatures. |
| McAfee ePO Endpoint Connectivity Diagnostics Playbook v2 | Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to a valid state. |
| McAfee ePO Repository Compliance Playbook | Deprecated. Use "McAfee ePO Repository Compliance Playbook v2" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version). |
| McAfee ePO Repository Compliance Playbook v2 | Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version). |
| MDE - False Positive Incident Handling | This playbook handles closing false positive incidents for Microsoft Defender for Endpoint. |
| MDE - Host Advanced Hunting | This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature based on the provided inputs. |
| MDE - Host Advanced Hunting For Network Activity | This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity. |
| MDE - Host Advanced Hunting For Persistence | This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host persistence evidence. |
| MDE - Host Advanced Hunting For Powershell Executions | This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions. |
| MDE - Pro-Active Actions | This playbook supports investigation actions for the analyst, including: - Running a full AV scan for a specific endpoint - Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint. - Requesting to run automatic investigation on an endpoint. |
| MDE - Retrieve File | This playbook uses the Live Response feature to retrieve a file from an endpoint./nNote that the endpoint id will be set from the incident field "Device ID". |
| MDE - True Positive Incident Handling | This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint. |
| MDE Malware - Incident Enrichment | This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout. |
| MDE Malware - Investigation and Response | This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive) |
| MDE SIEM ingestion - Get Incident Data | This playbook handles incident ingestion from a SIEM. The user provides the incident fields containing the alert ID. This playbook also enables changing the severity according to a user-defined scale to override the default assigned severity. |
| Microsoft 365 Defender - Emails Indicators Hunt | This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved. |
| Microsoft Defender Advanced Threat Protection Get Machine Action Status | This playbook used generic polling to get machine action information. |
| Microsoft Defender For Endpoint - Collect investigation package | This playbook simplifies retrieving investigation packages to Cortex XSOAR from supported machines (See https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide). The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSOAR console. Note: This action may take time, the average package size is around ~15 MB. |
| Microsoft Defender For Endpoint - Isolate Endpoint | This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration. |
| Microsoft Defender For Endpoint - Unisolate Endpoint | This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration. |
| Mirror Jira Ticket | Mirror Jira Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with Jira. |
| Mirror ServiceNow Ticket | Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page. |
| MITRE ATT&CK - Courses of Action | This is the parent playbook, which contains all phases and remediates MITRE ATT&CK techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. The playbook utilizes several other MITRE ATT&CK remediation playbooks. The playbook follows the MITRE ATT&CK kill chain phases and takes action to protect the organization from the inputted techniques, displaying and implementing security policy recommendations for Palo Alto Networks products. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Possible playbook triggers: - The playbook can be triggered by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, using the "MITRE ATT&CK - Courses of Action - Job" playbook. - The playbook can be triggered manually for specific MITRE ATT&CK techniques using the ‘techniqueByIncident’ playbook input. - An incident that contains MITRE ATT&CK technique IDs using the ‘techniqueByIncident’ playbook input. |
| MITRE ATT&CK - Courses of Action Trigger Job | This is a wrapper playbook for the "MITRE ATT&CK - Courses of Action" use-case. Possible playbook triggers: - Through a job, by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, or with custom inputs. - Through an incident, using custom playbook inputs. Once triggered, the playbook will create a new incident from type "MITRE ATT&CK CoA". The incident will trigger the playbook "MITRE ATT&CK - Courses of Action", which contains all phases and remediates MITRE ATT&CK techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). |
| MITRE ATT&CK CoA - T1003 - OS Credential Dumping | This playbook Remediates the OS Credential Dumping technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1003: OS Credential Dumping Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and to access restricted information. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1005 - Data from Local System | This playbook Remediates the Data from Local System technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1005: Data from Local System Kill Chain phases: - Collection MITRE ATT&CK Description: Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol | This playbook Remediates the Remote Desktop Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1021.001: Remote Desktop Protocol Kill Chain phases: - Lateral Movement MITRE ATT&CK Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information | This playbook Remediates the Obfuscated Files or Information technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1027: Obfuscated Files or Information Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel | This playbook Remediates the Exfiltration Over C2 Channel technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1041: Exfiltration Over C2 Channel Kill Chain phases: - Exfiltration MITRE ATT&CK Description: Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol | This playbook Remediates the Exfiltration Over Alternative Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1048: Exfiltration Over Alternative Protocol Kill Chain phases: - Exfiltration MITRE ATT&CK Description: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1057 - Process Discovery | This playbook Remediates the Process Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1057: Process Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter | This playbook Remediates the Command and Scripting Interpreter technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1059: Command and Scripting Interpreter Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1059.001 - PowerShell | This playbook Remediates the Command and Scripting Interpreter technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1059.001: Command and Scripting Interpreter: PowerShell Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation | This playbook Remediates the Exploitation for Privilege Escalation technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1068: Exploitation for Privilege Escalation Kill Chain phases: - Privilege Escalation MITRE ATT&CK Description: Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1071 - Application Layer Protocol | This playbook Remediates the Application Layer Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1071: Application Layer Protocol Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1078 - Valid Accounts | This playbook Remediates the Valid Accounts technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1078: Valid Accounts Kill Chain phases: - Defense Evasion - Persistence - Privilege Escalation - Initial Access MITRE ATT&CK Description: Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1082 - System Information Discovery | This playbook Remediates the System Information Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1082: System Information Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1083 - File and Directory Discovery | This playbook Remediates the File and Directory Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1083: File and Directory Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1105 - Ingress tool transfer | This playbook Remediates the Ingress tool transfer technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1105: Ingress tool transfer Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1110 - Brute Force | This playbook Remediates the Brute Force technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1110 : Brute Force Kill Chain phases: - Credential Access MITRE ATT&CK Description: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1133 - External Remote Services | This playbook Remediates the External Remote Services technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1133: External Remote Services Kill Chain phases: - Persistence - Initial Access MITRE ATT&CK Description: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1135 - Network Share Discovery | This playbook Remediates the Network Share Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1135: Network Share Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. [1][2] Net can be used to query a remote system for available shared drives using the net view \remotesystem command. It can also be used to query shared drives on the local system using net share. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1189 - Drive-by Compromise | This playbook Remediates the Drive-by Compromise technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1189: Drive-by Compromise Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1199 - Trusted Relationship | This playbook Remediates the Trusted Relationship technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1199: Trusted Relationship Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1204 - User Execution | This playbook Remediates the User Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1204: User Execution Kill Chain phases: - Execution MITRE ATT&CK Description: An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact | This playbook Remediates the Data Encrypted for Impact technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1486: Data Encrypted for Impact Kill Chain phases: - Impact MITRE ATT&CK Description: Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1518 - Software Discovery | This playbook Remediates the Software Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1518: Software Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1543.003 - Windows Service | This playbook Remediates the Windows Service technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1543.003: Create or Modify System Process: Windows Service Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution | This playbook Remediates the Boot or Logon Autostart Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1547: Boot or Logon Autostart Execution Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder | This playbook Remediates the Registry Run Keys / Startup Folder technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. [1] These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1560.001 - Archive via Utility | This playbook Remediates the Data Encrypted technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1560.001: Archive Collected Data: Archive via Utility Kill Chain phases: - Exfiltration MITRE ATT&CK Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip[1], WinRAR[2], and WinZip[3]. Most utilities include functionality to encrypt and/or compress data. Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools | This playbook Remediates the Disable or Modify Tools technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1562.001: Impair Defenses: Disable or Modify Tools Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes | This playbook Remediates the NTFS File Attributes technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1564.004: NTFS File Attributes Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1566 - Phishing | This playbook Remediates the Phishing technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1566: Phishing Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment | This playbook Remediates the Spear-Phishing Attachment technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1566.001: Spear-Phishing Attachment Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1569.002 - Service Execution | This playbook Remediates the Service Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1569.002: System Services: Service Execution Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2] Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography | This playbook Remediates the Standard Cryptographic Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - 1573.002: Encrypted Channel: Asymmetric Cryptography Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Mitre Attack - Extract Technique Information From ID | This playbook accepts as input MITRE techniques IDs. It returns the MITRE technique name and full technique data using the MITRE integration. |
| Modify EDL | Adds indicators to or removes indicators from an external dynamic list (EDL) by adding or removing an indicator tag. The EDL itself is generated by using the Cortex XSOAR Generic Export Indicators Service integration and querying on a tag in the Indicator Query parameter. Incident fields that control the behavior of this playbook: - EDL Action: Whether to add or remove EDL indicators. - EDL Indicators List: Input list of indicators to add to or remove from EDL (according to the value of EDL Action). - EDL Tag: Tag value in the Generic Export Indicators Service integration instance Indicator Query, which controls which indicators are on the EDL. - EDL Indicator Type: (Only relevant if adding to EDL) Type of indicators to add to EDL. |
| NetOps - Firewall Version and Content Upgrade | Network operations playbook that updates the version and content of the firewall. You must have Superuser permissions to update the PAN-OS version. |
| NetOps - Upgrade PAN-OS Firewall Device | Network operations playbook that upgrades the firewall. You must have Superuser permissions to update the PAN-OS version. Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key. |
| New York - Breach Notification | This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to New York State law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Sources: https://ag.ny.gov/internet/data-breach https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf https://www.nysenate.gov/legislation/laws/GBS/899-AA |
| Nexpose - Create and Download Report | Use this playbook as a sub-playbook to configure a report and download it. This playbook implements polling by continuously running the `nexpose-get-report-status` command until the operation completes. The remote action should have the following structure: 1. Initiate the operation - insert the type of the report (sites, scan, or assets) and it's additional arguments if required. 2. Poll to check if the operation completed. 3. Get the results of the operation. |
| NGFW Internal Scan | This playbook investigates a scan where the source is an internal IP address. An attacker might initiate an internal scan for discovery, lateral movement and more. Attacker's Goals: An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services. Investigative Actions: Endpoint Investigation Plan playbook Response Actions The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute: Auto endpoint isolation Manual block indicators Manual file quarantine |
| NGFW Remove Offline TS Agent | Check if TS Agent server is offline and deregister it from the NGFW |
| NGFW Scan | This playbook handles external and internal scanning alerts. Attacker's Goals: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Investigative Actions: Investigate the scanner IP address using: IP enrichment: NGFW Internal Scan playbook Endpoint Investigation Plan playbook Entity enrichment Response Actions The playbook's response actions are based on the initial data provided within the alert. In that phase, the playbook will execute: Automatically block IP address Report IP address (If configured as true in the playbook inputs) When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan playbook, is executed. This phase will execute the following containment actions: Automatically isolate involved endpoint Manual block indicators Manual file quarantine Manual disable user External resources: Mitre technique T1046 - Network Service Scanning Port Scan |
| NIST - Handling an Incident Template | This playbook contains the phases to handling an incident as described in the 'Handling an Incident' section of NIST - Computer Security Incident Handling Guide. Handling an incident - Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf |
| NIST - Lessons Learned | This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage. |
| NOBELIUM - wide scale APT29 spear-phishing | On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: - Collect IOCs to be used in your threat hunting process - Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts - Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| Notify Stock Above Price | This playbook sends a message on Telegram when a stock price rises higher than a predefined price |
| NSA - 5 Security Vulnerabilities Under Active Nation-State Attack | Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation. This playbook should be trigger manually and includes the following tasks: - Enrich related known CVEs reported in the US agencies alert. - Search for unpatched endpoints vulnerable to the exploits. - Search for vulnerable assets facing the internet using Expanse. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Cyber Security Advisory] (https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF) |
| O365 - Security And Compliance - Search | This playbook performs the following steps: 1. Creates a compliance search. 2. Starts a compliance search. 3. Waits for the compliance search to complete. 4. Gets the results of the compliance search as an output. 5. Gets the preview results, if specified. |
| O365 - Security And Compliance - Search Action - Delete | This playbook performs the following steps: 1. Creates a new compliance search action Purge - Hard or Soft. 2. Waits for the compliance search action to complete. 3. Retrieves the delete search action. |
| O365 - Security And Compliance - Search Action - Preview | This playbook perform: 1. Creates a new compliance search action - Preview (Base on created compliance search). 2. Waits for the preview action to complete. 3. Retrieves the preview results. |
| O365 - Security And Compliance - Search And Delete | This playbook performs the following steps: 1. Creates a compliance search. 2. Starts a compliance search. 3. Waits for the compliance search to complete. 4. Gets the results of the compliance search. 5. Gets the preview results, if specified. 6. Deletes the search results (Hard/Soft). |
| Office 365 Search and Delete | Run a ComplianceSearch on Office 365 and delete the results. |
| Online Brand Protection Detect and Respond | Analyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address. |
| OpenCTI Create Indicator | Create indicator at OpenCTI. |
| Palo Alto Networks - Endpoint Malware Investigation | This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed. |
| Palo Alto Networks - Endpoint Malware Investigation v2 | Deprecated. Use the "Palo Alto Networks - Endpoint Malware Investigation v3"\ \ playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\ \ generated by Traps. The playbook performs host enrichment for the source host\ \ with Palo Alto Networks Traps, enriches information for the suspicious file with\ \ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\ \ for the extracted file. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. \nThe analyst can\ \ perform a manual memory dump for the suspected endpoint based on the incident’s\ \ severity, and choose to isolate the source endpoint with Traps.\nHunting tasks\ \ to find more endpoints that are infected is performed automatically based on a\ \ playbook input, and after all infected endpoints are found, remediation for all\ \ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\ \ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\ \ Custom URL Categories.\nAfter the investigation review the incident is automatically\ \ closed. |
| Palo Alto Networks - Endpoint Malware Investigation v3 | This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed. |
| Palo Alto Networks - Hunting And Threat Detection | This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks. With the received indicators, the playbook leverages data received by PANW products including, Cortex Data Lake, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators. The output provided by the playbook facilitates pivoting searches for possibly affected IP addresses or users. |
| Palo Alto Networks - Malware Remediation | This Playbook performs malicious IOC remediation using Palo Alto Networks integrations. |
| Palo Alto Networks BPA - Submit Scan | This playbook accepts a list of BPA checks, triggers a job and returns the checks results. |
| PAN-OS - Add Static Routes | This playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance. |
| PAN-OS - Apply Security Profile to Policy Rule | This playbook is used to apply a PAN-OS security profile to a policy rule. The playbook performs the following tasks: - Accepts a rule name to apply the security profile to. - Applies the security profile to the rule if the rule exists. If not, creates the rule and applies. - Commits the configuration. |
| PAN-OS - Block all unknown and unauthorized applications | This playbook is used to find and remove all rules that allow unauthorized applications communication as any. The playbook performs the following tasks: - Lists PAN-OS policy rules. - Checks for a rule that allows applications as any. - Deletes the rule based on user approval. - Commits the configuration. |
| PAN-OS - Block Destination Service | This playbook blocks a Destination IP and Service (TCP or UDP port) by creating a rule for a specific Device Group on PAN-OS. |
| PAN-OS - Block Domain - External Dynamic List | Deprecated. Use Generic Export Indicators Service instead. |
| PAN-OS - Block IP - Custom Block Rule | This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration. |
| PAN-OS - Block IP - Static Address Group | This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration. ***Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook. |
| PAN-OS - Block IP and URL - External Dynamic List | Deprecated. Use "PAN-OS - Block IP and URL - External Dynamic List v2" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists. It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists. |
| PAN-OS - Block IP and URL - External Dynamic List v2 | Deprecated. Use Generic Export Indicators Service instead. |
| PAN-OS - Block URL - Custom URL Category | This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories. The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration. |
| PAN-OS - Create Or Edit Rule | Creates or edits a Panorama rule and moves it into the desired position |
| PAN-OS - Delete Static Routes | This playbook deletes a PAN-OS static route from the PAN-OS instance. |
| PAN-OS - Enforce Anti-Spyware Best Practices Profile | This playbook enforces the Anti-Spyware Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for DNS Security license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS - Enforce Anti-Virus Best Practices Profile | This playbook enforces the Anti-Virus Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for Threat Prevention license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS - Enforce File Blocking Best Practices Profile | This playbook enforces the File Blocking Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS - Enforce URL Filtering Best Practices Profile | This playbook enforces the URL Filtering Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for URL Filtering license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS - Enforce Vulnerability Protection Best Practices Profile | This playbook enforces the Vulnerability Protection Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for Threat Prevention license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS - Enforce WildFire Best Practices Profile | This playbook enforces the WildFire Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for WildFire license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama. |
| PAN-OS Commit Configuration | Commit the PAN-OS Panorama or Firewall configuration.\nIf specified as Panorama, it also pushes the Policies to the specified Device Group in the instance. |
| PAN-OS create or edit policy | This playbook will automate the process of creating or editing a policy. The first task in the playbook checks if there is a security policy that matches the playbook inputs. If there is no security policy that matches, a new policy will be created. If there is a security policy that matches, the user will be able to modify the existing policy or create a new hardened policy. |
| PAN-OS DAG Configuration | This playbook utilizes the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables analysts to create a rule one time, where the group is the source/destination, and adds IP addresses dynamically without the need to commit the configuration every time. The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag. If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed. |
| PAN-OS edit policy | This playbook guides the user in the process of editing an existing policy. The playbook sends a data collection form to retrieve the relevant parameters for editing the existing rule. |
| PAN-OS EDL Service Configuration | Deprecated. No available replacement. This single-run playbook enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service for system indicators, and configures PAN-OS EDL Objects and the respective firewall policy rules. The EDLs will continuously update for each indicator that matches the query syntax input in the playbook (to validate to which indicators the query applied, you need to enter the query syntax from the indicator tab at the top of the playbook inputs window as well). If both the IP and URL indicator types exist in the query, it sorts the indicators into two EDLs, IP and URL. If only one indicator type exists in the query, only one EDL is created. The playbook then creates EDL objects directing to the indicator lists and firewall policy rules in PAN-OS. - It is recommended to configure a dedicated EDL Service instance for the usage of this playbook. - If necessary to edit or update the EDL query after this playbook run, use the panorama-edit-edl command and panorama integration to update the URL containing the indicator query syntax. |
| PAN-OS EDL Setup | Deprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule. |
| PAN-OS EDL Setup v3 | Deprecated. Use Generic Export Indicators Service instead. |
| PAN-OS Log Forwarding Setup And Configuration | This playbook sets up and maintains log forwarding for the Panorama rulebase. It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy. You can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured. |
| PAN-OS logging to Cortex Data Lake - Action Required | This Playbook initiates the steps needed to investigate the PAN-OS logging to Cortex Data Lake problems. |
| PAN-OS Query Logs For Indicators | This playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP. hash, and url. |
| PAN-OS to Cortex Data Lake Monitoring - Cron Job | This playbook verifies that your FWs sent logs to the Cortex Data Lake in the last 12 hours. An email notification will be sent if it's not the case. This playbook is designed to run as a job. |
| Panorama Query Logs | Query Panorama Logs of types: traffic, threat, url, data-filtering and wildfire. |
| PanoramaQueryTrafficLogs | Deprecated. Use "PAN-OS Query Logs For Indicators" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device. |
| PANW - Hunting and threat detection by indicator type | Deprecated. Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead. |
| PANW - Hunting and threat detection by indicator type V2 | Deprecated. Use the "Palo Alto Networks - Hunting And Threat Detection"\ \ playbook instead. Integrations list - Cortex (Traps, PAN-OS, Analytics)\nThis is a multipurpose\ \ playbook used for hunting and threat detection. The playbook receives inputs based\ \ on hashes, IP addresses, or domain names provided manually or from outputs by\ \ other playbooks. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. \nThe output provided\ \ by the playbook facilitates pivoting searches for possibly affected hosts, IP\ \ addresses, or users. |
| PANW IoT Incident Handling with ServiceNow | This playbook creates a ServiceNow ticket after the incident is enriched by Palo Alto Networks IoT security portal (previously Zingbox Cloud). |
| PANW IoT ServiceNow Tickets Check | This playbook should be used in a recurring Job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilties. |
| PANW NGFW TS Agent Deployment | Deploy the PANW NGFW TS Agent to a Windows server |
| PANW Threat Vault - Signature Search | Deprecated. No available replacement. |
| PCAP Analysis | This playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: Search for specific values in a PCAP file Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation. |
| PCAP File Carving | This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation. |
| PCAP Parsing And Indicator Enrichment | This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which indicator types are to be enriched including, email, URLs, IP addresses. The user can specify in the inputs which indicators are internal or that will be treated as internal (not enriched). The user can also specify a specific regex pattern to search for. Another option is to specify the protocol types to be printed to context for data extraction. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and add an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation. |
| PCAP Search | This playbook is used to parse and search within PCAP files. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which objects the playbook should search for in the PCAP. The values to search are IP addresses, CIDR ranges, and TCP or UDP ports or protocols. In the event that more than one input type was specified, specify in the QueryOperator input (such as IP addresses and TCP ports) if the PCAP filter query will use an AND or an OR operator between the inputs. Another option is to use advanced filters just like in Wireshark to use refined filters or for objects not specified in other inputs. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation. |
| Penfield Assign | This playbook invokes Penfield.AI backend to assign incident to an online analyst. |
| Pentera Filter And Create Incident | Sub-playbook to select specific entries from the Pentera action report and create incidents for each of the selected entries |
| Pentera Run Scan | |
| Pentera Run Scan and Create Incidents | This playbook will run a pentera task given the Pentera task name. It will generate the full action report that contains all the actions that Pentera made during the scan, and will create incidents according to the filters in the Pentera Filter and Create incidents playbook. |
| Phishing - Core | Provides a basic response to phishing incidents. Playbook features: - Calculates reputation for all indicators - Extracts indicators from email attachments - Calculates severity for the incident based on indicator reputation - Updates reporting user about investigation status - Allows manual remediation of the incident |
| Phishing - Core v2 | This playbook provides a basic response to phishing incidents, including: - Calculating reputation for all indicators - Extracting indicators from email attachments - Calculating severity for the incident based on indicator reputation - Updating the reporting user about investigation status - Enabling manual incident remediation This updated playbook uses: 1) Incident fields instead of labels 2) The "Process Email - Core v2" playbook |
| Phishing - Generic v3 | This playbook investigates and remediates a potential phishing incident. It engages with the user that triggered the incident while investigating the incident itself. Note: Final remediation tasks are always decided by a human analyst. |
| Phishing Alerts - Check Severity | This playbook calculates and assigns the incident severity based on the highest returned severity level from the following calculations: - Email security alert action - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers |
| Phishing Alerts Investigation | This playbook investigates and remediates potential phishing incidents produced by either an email security gateway or a SIEM product. It retrieves original email files from the email security gateway or email service provider and generates a response based on the initial severity, hunting results, and the existence of similar phishing incidents in XSOAR. No action is taken without an initial approval given by the analyst using the playbook inputs. |
| Phishing Investigation - Generic | Deprecated. Use "Phishing Investigation - Generic v2" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself. The final remediation tasks are always decided by a human analyst. |
| Phishing Investigation - Generic v2 | Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself. The final remediation tasks are always decided by a human analyst. |
| Phishing Playbook - Manual | Master playbook for phishing incidents. This playbook is a manual playbook. |
| PhishingDemo-Onboarding | This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the `on-boarding` integration and configure incidents of type `Phishing`. For more information, refer to the on-boarding walkthroughs in the help section. |
| PhishLabs - Populate Indicators | This playbook can be used in a job to populate indicators from PhishLabs, according to a defined period of time. |
| PhishLabs - Whitelist false positives | This playbook can be used in a job to add to the allow list indicators from PhishLabs that were classified as false positives, according to a defined period of time. |
| PhishUp Mail Scanner | Extracts URLs from mail body and checks URLs with PhishUp. Takes action based on PhishUp results. |
| PICUS - Attack Validation Automation | Picus Attack Validation Automation |
| PII Check - Breach Notification | The playbook checks for all various types of PII, however, each state determines what is considered PII, and which PII requires notification. DISCLAIMER: Please consult with your legal team before implementing this playbook. **Sources: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82 https://www.nysenate.gov/legislation/laws/GBS/899-AA and more for each state. |
| Policy Optimizer - Add Applications to Policy Rules | This playbook edits rules with unused applications or rules that are port based, and adds an application to the rule. It is used in PAN-OS - Policy Optimizer playbooks and includes communication tasks to get a rule name and the application to edit from the user. |
| Policy Optimizer - Generic | This playbook is triggered by the Policy Optimizer incident type, and can execute any of the following sub-playbooks: - Policy Optimizer - Manage Unused Rules - Policy Optimizer - Manage Rules with Unused Applications - Policy Optimizer - Manage Port Based Rules |
| Policy Optimizer - Manage Port Based Rules | This playbook migrates port-based rules to application-based allow rules to reduce the attack surface and safely enable applications on your network. |
| Policy Optimizer - Manage Rules with Unused Applications | This playbook helps identify and remove unused applications from security policy rules. If you have application-based security policy rules that allow a large number of applications, you can remove unused applications (applications never seen on the rules) from those rules to allow only applications actually seen in the rule’s traffic. This strengthens your security posture by reducing the attack surface. |
| Policy Optimizer - Manage Unused Rules | This playbook helps identify and remove unused rules that do not pass traffic in your environment. |
| Port Scan - External Source | This playbook remediates port scans originating outside of the organization's network. |
| Port Scan - Generic | Investigates a port scan incident. The incident may originate from outside or within the network. The playbook: - Enriches the hostname and IP address of the attacking endpoint - Escalates the incident in case a critical asset is involved - Hunts malware associated with the alerts across the organization - Blocks detected malware associated with the incident - Blocks IP addresses associated with the malware, if a malicious file was involved - Pivots from the attacking IP to detect and block malicious domains hosted on the IP (for external scan) - Isolates the attacking endpoint (for internal scan) - Allows manual blocking of ports through an email communication task If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively: Splunk - "Splunk Indicator Hunting" QRadar - "QRadar Indicator Hunting v2" Palo Alto Networks Cortex Data Lake/Panorma/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2" |
| Port Scan - Internal Source | Remediates port scans originating within the network. |
| Post Intrusion Ransomware Investigation | Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: - Encrypted file owner investigation - Endpoint forensic investigation - Active Directory investigation - Timeline of the breach investigation - Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field) |
| Prisma Access - Logout User | This playbook forces logout of a specific user and computer from Prisma Access. |
| Prisma Access - Connection Health Check | Use the Prisma Access integration to run SSH CLI commands and query the connection states for all tunnels. If any tunnels are down - the playbook escalates to a manual task for remediation and provides recommendations on next steps in the task description. The playbook can be run as a job, or triggered from an incoming event to confirm an initial suspicion (such as a tunnel log from Cortex Data Lake) to validate that the issue still exists. |
| Prisma Access Whitelist Egress IPs on SaaS Services | Retrieve Prisma Access Egress IP for specific geographic zones and populate in security groups within cloud services. |
| Prisma Cloud - Find AWS Resource by FQDN | Find AWS resources by FQDN using Prisma Cloud inventory. Supported services: EC2, Application Load Balancer, ECS, Route53, CloudFront, S3, API Gateway. |
| Prisma Cloud - Find AWS Resource by Public IP | Find AWS resources by Public IP using Prisma Cloud inventory. Supported services: EC2, Network Load Balancer, ECS, Route53. |
| Prisma Cloud - Find Azure Resource by FQDN | Find Azure resources by FQDN using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, AKS, Azure Web Apps, Azure Storage. |
| Prisma Cloud - Find Azure Resource by Public IP | Find Azure resources by Public IP using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, Azure Web Apps. |
| Prisma Cloud - Find GCP Resource by FQDN | Find GCP resources by FQDN using Prisma Cloud inventory. Supported services: Cloud DNS. |
| Prisma Cloud - Find GCP Resource by Public IP | Find GCP resources by Public IP using Prisma Cloud inventory. Supported services: GCE, Load Balancing, GKE. |
| Prisma Cloud - Find Public Cloud Resource by FQDN | Find Public Cloud resources by FQDN using Prisma Cloud inventory |
| Prisma Cloud - Find Public Cloud Resource by Public IP | Find Public Cloud resource by Public IP using Prisma Cloud inventory |
| Prisma Cloud Compute - Audit Alert | Default playbook for parsing Prisma Cloud Compute audit alerts |
| Prisma Cloud Compute - Cloud Discovery Alert | Default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts |
| Prisma Cloud Compute - Compliance Alert | Default playbook for parsing Prisma Cloud Compute compliance alerts |
| Prisma Cloud Compute - Vulnerability Alert | Default playbook for parsing Prisma Cloud Compute vulnerability alerts |
| Prisma Cloud Compute Vulnerability and Compliance Reporting | Deprecated. No available replacement. |
| Prisma Cloud Correlate Alerts | Search alerts in Prisma Cloud for a specific asset ID and, if present in XSOAR, link them. |
| Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account | AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events). |
| Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration | This playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation: - AWS Default Security Group Does Not Restrict All Traffic - AWS Security Groups Allow Internet Traffic - AWS Security Groups With Inbound Rule Overly Permissive To All Traffic - AWS Security Groups allow internet traffic from internet to FTP-Data port (20) - AWS Security Groups allow internet traffic from internet to FTP port (21) - AWS Security Groups allow internet traffic to SSH port (22) - AWS Security Group allows all traffic on SSH port (22) - AWS Security Groups allow internet traffic from internet to Telnet port (23) - AWS Security Groups allow internet traffic from internet to SMTP port (25) - AWS Security Groups allow internet traffic from internet to DNS port (53) - AWS Security Groups allow internet traffic from internet to Windows RPC port (135) - AWS Security Groups allow internet traffic from internet to NetBIOS port (137) - AWS Security Groups allow internet traffic from internet to NetBIOS port (138) - AWS Security Groups allow internet traffic from internet to CIFS port (445) - AWS Security Groups allow internet traffic from internet to SQLServer port (1433) - AWS Security Groups allow internet traffic from internet to SQLServer port (1434) - AWS Security Groups allow internet traffic from internet to MYSQL port (3306) - AWS Security Groups allow internet traffic from internet to RDP port (3389) - AWS Security Groups allow internet traffic from internet to MSQL port (4333) - AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432) - AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) - AWS Security Groups allow internet traffic from internet to VNC Server port (5900) |
| Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration | This playbook remediates the Prisma Cloud AWS EC2 alerts generated by the following policies: - AWS Default Security Group Does Not Restrict All Traffic - AWS Security Groups Allow Internet Traffic - AWS Security Groups With Inbound Rule Overly Permissive To All Traffic - AWS Security Group allows all traffic on SSH port (22) |
| Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration | This playbook remediates the following Prisma Cloud AWS IAM password policy alerts. Prisma Cloud policies remediated: - AWS IAM password policy allows password reuse - AWS IAM password policy does not expire in 90 days - AWS IAM password policy does not have a lowercase character - AWS IAM password policy does not have a minimum of 14 characters - AWS IAM password policy does not have a number - AWS IAM password policy does not have a symbol - AWS IAM password policy does not have a uppercase character - AWS IAM password policy does not have password expiration period - AWS IAM Password policy is insecure |
| Prisma Cloud Remediation - AWS IAM Policy Misconfiguration | This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps. |
| Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days | To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time. To remediate Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password. |
| Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port | This playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked. |
| Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration | This playbook remediates the following Prisma Cloud Azure AKS cluster alerts. Prisma Cloud policies remediated: - Azure AKS cluster monitoring not enabled - Azure AKS cluster HTTP application routing enabled |
| Prisma Cloud Remediation - Azure AKS Misconfiguration | This playbook remediates Prisma Cloud Azure AKS alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure AKS cluster monitoring not enabled - Azure AKS cluster HTTP application routing enabled |
| Prisma Cloud Remediation - Azure Network Misconfiguration | This playbook remediates Prisma Cloud Azure Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol - Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 - Azure Network Security Group (NSG) allows traffic from internet on port 3389 - Azure Network Security Group allows DNS (TCP Port 53) - Azure Network Security Group allows FTP (TCP Port 21) - Azure Network Security Group allows FTP-Data (TCP Port 20) - Azure Network Security Group allows MSQL (TCP Port 4333) - Azure Network Security Group allows MySQL (TCP Port 3306) - Azure Network Security Group allows Windows RPC (TCP Port 135) - Azure Network Security Group allows Windows SMB (TCP Port 445) - Azure Network Security Group allows PostgreSQL (TCP Port 5432) - Azure Network Security Group allows SMTP (TCP Port 25) - Azure Network Security Group allows SqlServer (TCP Port 1433) - Azure Network Security Group allows Telnet (TCP Port 23) - Azure Network Security Group allows VNC Listener (TCP Port 5500) - Azure Network Security Group allows all traffic on ICMP (Ping) - Azure Network Security Group allows CIFS (UDP Port 445) - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - Azure Network Security Group allows DNS (UDP Port 53) |
| Prisma Cloud Remediation - Azure Network Security Group Misconfiguration | This playbook remediates the following Prisma Cloud Azure Network security group alerts. Prisma Cloud policies remediated: - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol - Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 - Azure Network Security Group (NSG) allows traffic from internet on port 3389 - Azure Network Security Group allows DNS (TCP Port 53) - Azure Network Security Group allows FTP (TCP Port 21) - Azure Network Security Group allows FTP-Data (TCP Port 20) - Azure Network Security Group allows MSQL (TCP Port 4333) - Azure Network Security Group allows MySQL (TCP Port 3306) - Azure Network Security Group allows Windows RPC (TCP Port 135) - Azure Network Security Group allows Windows SMB (TCP Port 445) - Azure Network Security Group allows PostgreSQL (TCP Port 5432) - Azure Network Security Group allows SMTP (TCP Port 25) - Azure Network Security Group allows SqlServer (TCP Port 1433) - Azure Network Security Group allows Telnet (TCP Port 23) - Azure Network Security Group allows VNC Listener (TCP Port 5500) - Azure Network Security Group allows all traffic on ICMP (Ping) - Azure Network Security Group allows CIFS (UDP Port 445) - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - Azure Network Security Group allows DNS (UDP Port 53) |
| Prisma Cloud Remediation - Azure SQL Database Misconfiguration | This playbook remediates the following Prisma Cloud Azure SQL database alerts. Prisma Cloud policies remediated: - Azure SQL database auditing is disabled - Azure SQL Database with Auditing Retention less than 90 days - Azure Threat Detection on SQL databases is set to Off - Azure SQL Database with Threat Retention less than or equals to 90 days |
| Prisma Cloud Remediation - Azure SQL Misconfiguration | This playbook remediates Prisma Cloud Azure SQL alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure SQL database auditing is disabled - Azure SQL Database with Auditing Retention less than 90 days - Azure Threat Detection on SQL databases is set to Off - Azure SQL Database with Threat Retention less than or equals to 90 days |
| Prisma Cloud Remediation - Azure Storage Blob Misconfiguration | This playbook remediates the following Prisma Cloud Azure Storage blob alerts. Prisma Cloud policies remediated: - Azure storage account has a blob container with public access - Azure storage account logging for blobs is disabled |
| Prisma Cloud Remediation - Azure Storage Misconfiguration | This playbook remediates Prisma Cloud Azure Storage alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure storage account has a blob container with public access - Azure storage account logging for blobs is disabled - Azure Storage Accounts without Secure transfer enabled - Azure storage account logging for queues is disabled - Azure storage account logging for tables is disabled #95 |
| Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration | This playbook remediates the following Prisma Cloud GCP Kubernetes Engine Cluster alerts. Prisma Cloud policies remediated: GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled GCP Kubernetes Engine Clusters have HTTP load balancing disabled GCP Kubernetes Engine Clusters have Legacy Authorization enabled GCP Kubernetes Engine Clusters have Master authorized networks disabled GCP Kubernetes Engine Clusters have Network policy disabled GCP Kubernetes Engine Clusters have Stackdriver Logging disabled GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled GCP Kubernetes Engine Clusters have binary authorization disabled GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled GCP Kubernetes cluster intra-node visibility disabled |
| Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration | This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled GCP Kubernetes Engine Clusters have HTTP load balancing disabled GCP Kubernetes Engine Clusters have Legacy Authorization enabled GCP Kubernetes Engine Clusters have Master authorized networks disabled GCP Kubernetes Engine Clusters have Network policy disabled GCP Kubernetes Engine Clusters have Stackdriver Logging disabled GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled GCP Kubernetes Engine Clusters have binary authorization disabled GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled GCP Kubernetes cluster intra-node visibility disabled |
| Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration | This playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts. Prisma Cloud policies remediated: - GCP Firewall rule allows internet traffic to FTP port (21) - GCP Firewall rule allows internet traffic to HTTP port (80) - GCP Firewall rule allows internet traffic to MongoDB port (27017) - GCP Firewall rule allows internet traffic to MySQL DB port (3306) - GCP Firewall rule allows internet traffic to Oracle DB port (1521) - GCP Firewall rule allows internet traffic to PostgreSQL port (5432) - GCP Firewall rule allows internet traffic to RDP port (3389) - GCP Firewall rule allows internet traffic to SSH port (22) - GCP Firewall rule allows internet traffic to Telnet port (23) - GCP Firewall rule allows internet traffic to DNS port (53) - GCP Firewall rule allows internet traffic to Microsoft-DS port (445) - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139) - GCP Firewall rule allows internet traffic to POP3 port (110) - GCP Firewall rule allows internet traffic to SMTP port (25) - GCP Default Firewall rule should not have any rules (except http and https) - GCP Firewall with Inbound rule overly permissive to All Traffic |
| Prisma Cloud Remediation - GCP VPC Network Misconfiguration | This playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP project is using the default network - GCP Firewall rule allows internet traffic to FTP port (21) - GCP Firewall rule allows internet traffic to HTTP port (80) - GCP Firewall rule allows internet traffic to MongoDB port (27017) - GCP Firewall rule allows internet traffic to MySQL DB port (3306) - GCP Firewall rule allows internet traffic to Oracle DB port (1521) - GCP Firewall rule allows internet traffic to PostgreSQL port (5432) - GCP Firewall rule allows internet traffic to RDP port (3389) - GCP Firewall rule allows internet traffic to SSH port (22) - GCP Firewall rule allows internet traffic to Telnet port (23) - GCP Firewall rule allows internet traffic to DNS port (53) - GCP Firewall rule allows internet traffic to Microsoft-DS port (445) - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139) - GCP Firewall rule allows internet traffic to POP3 port (110) - GCP Firewall rule allows internet traffic to SMTP port (25) - GCP Default Firewall rule should not have any rules (except http and https) - GCP Firewall with Inbound rule overly permissive to All Traffic |
| Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration | This playbook remediates the following Prisma Cloud GCP VPC Network Project alerts. Prisma Cloud policies remediated: - GCP project is using the default network |
| Process Email - Add custom fields | Deprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields |
| Process Email - Core | Add email details to the relevant context entities and handle the case where original emails are attached. |
| Process Email - Core v2 | This playbook adds email details to the relevant context entities and handles the case where original emails are attached. |
| Process Email - EWS | Process an EWS email |
| Process Email - Generic | Add email details to the relevant context entities and handle the case where original emails are attached. |
| Process Email - Generic v2 | This playbook adds email details to the relevant context entities and handles original email attachments. The v2 playbook enables parsing email artifacts more efficiently, including: - Using incident fields and not incident labels. - Providing separate paths to "Phishing Alerts". - Using the new "Get Original Email - Generic v2" playbook to retrieve original emails as EML files from the following integrations: EWS v2 Microsoft Graph Mail integration Gmail FireEye EX and FireEye CM Proofpoint Protection Server Agari Phishing Defense (EWS v2, MSGraph Mail, Gmail) * Mimecast |
| Process Microsoft's Anti-Spam Headers | This playbook stores the SCL, BCL, and PCL scores if they exist to the associated incident fields (Phishing SCL Score, Phishing PCL Score, and Phishing BCL Score). It also does the following: 1) Sets the email classification to "spam" if the SCL score is equal to or greater than 5. 2) Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs: - PCL (Phishing Confidence Level) For a score between and including 4-8: The message content is likely to be phishing. - BCL (Bulk Complaint Level) For a score between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. For a score between and including 8-9: The message is from a bulk sender that generates a high number of complaints. - SCL (Spam Confidence Level) For a score between and including 5-6: Spam filtering marks the message as spam. For a score of 9: Spam filtering marks the message as high confidence spam. See anti-spam stamps. |
| Process QWatch Alert - Qintel | Extracts exposure records from a QWatch alert |
| Process Survey Response | Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is in beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. This playbook processes the survery responses. It updates that the employee responded to the survey and what their health status is. If necessary, it opens IT or HR incidents, and updates the process survey tracker. |
| Proofpoint TAP - Event Enrichment | |
| PS Remote Get File Sample From Path | This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire a file as forensic evidence for further analysis. |
| PS-Remote Acquire Host Forensics | This playbook allows the user to gather multiple forensic data from a Windows endpoint including network traffic, MFT (Master File Table), and registry export by using the PS Remote automation which enables connecting to a Windows host without the need to install any 3rd-party tools using just native Windows management tools. |
| PS-Remote Get MFT | This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the MFT (Master File Table) as forensic evidence for further analysis. |
| PS-Remote Get Network Traffic | This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host. It then connectst to the Netsh tool to create an ETL file which is the equivalent of a Wireshark PCAP file by using the PS-Remote integration. After receiving the resultant ETL, XSOAR will be able to convert the ETL to a PCAP file to be parsed and enriched later. Review the Microsoft documentation for how to use ETL filters (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)#using-filters-to-limit-etl-trace-file-details). |
| PS-Remote Get Registry | This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the registry as forensic evidence for further analysis. The capture can be for the entire registry or for a specific hive or path. |
| QRadar - Get offense correlations | Deprecated. Use the `QRadar - Get offense correlations v2` instead.\"\nRun on a QRadar offense to get more information\n\n Get all correlations relevant to the offense\n Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n GetCorrelationLogs (default - False)\n MaxLogsCount (default - 20) |
| QRadar - Get offense correlations v2 | Deprecated. Use the "QRadar - Get Offense Logs" playbook instead. Run on a QRadar offense to get more information: Get all correlations relevant to the offense Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True") Inputs: GetCorrelationLogs (default: False) MaxLogsCount (default: 20) |
| QRadar - Get Offense Logs | Works for QRadar integration version 3, v1 and v2 are deprecated. Note: You can use the integration to fetch the events with the offense however it will fetch the events according to the specified limit defined in the instance settings. By using this playbook you can define an additional search to query a larger number of logs. Default playbook inputs use the QRadar incident fields such as idoffense, starttime. These fields can be replaced but need to point to relevant offense ID and starttime fields. |
| QRadar Generic | The QRadar Generic playbook is executed for the QRadar Generic incident type. It performs all the common parts of the investigation, including notifying the SOC, enriching data for indicators and users, calculating severity, assigning incidents, and notifying the SIEM admin about false positives. |
| QRadar Indicator Hunting V2 | The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls. |
| QRadarCorrelationLog | Deprecated. Use the "QRadar - Get Offense Logs"\ \ playbook instead. This playbook retrieves the correlation logs of multiple QIDs. |
| QRadarFullSearch | This playbook runs a QRadar query and return its results to the context. |
| Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration | Playbook to handle incident triggered from PANW Iot (Zingbox) UI to quarantine a device in Cisco ISE. |
| Query Cisco Stealthwatch Flows | This playbook runs a query on Cisco Stealthwatch flows and return its results to the context. |
| Ransomware Advanced Analysis | This playbook detects the ransomware type and searches for available decryptors. The playbook uses the ID-Ransomware service, which allows you to detect the ransomware using multiple methods. |
| Ransomware Enrich and Contain | This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extract the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints. |
| Ransomware Exposure - RiskSense | The ransomware exposure playbook reveals an organization's exposure to the specific vulnerabilities that are being exploited to launch ransomware attacks. |
| Ransomware Playbook - Manual | Master playbook for ransomware incidents. This playbook is a manual playbook. |
| Ransomware Response | This playbook handles ransomware alerts based on the Cortex XDR Traps module signature 'Suspicious File Modification' Attacker’s Goals: An attacker is attempting to encrypt the victim files for either extortion or destruction purposes. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions: The playbook’s first response action is a remediation plan which includes two sub-playbooks, Containment Plan and Eradication Plan, which is based on the initial data provided within the alert. In that phase, the playbooks will execute: Auto endpoint isolation Auto block indicators Auto file quarantine Auto user disable Auto process termination Next, the playbook executes an enrichment and response phase which includes two sub-playbooks, Ransomware Enrich and Contain & Account Enrichment - Generic v2.1. The Ransomware Enrich and Contain playbook does the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extracts the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints. Next, an advanced analysis playbook, which is currently done mostly manually, will be executed. This sub-playbook, Ransomware Advanced Analysis allows the analyst to upload the ransomware note and for the ransomware identification. Using the ID-Ransomware service, the analyst will be able to get the ransomware type and the decryptor if available. When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan sub-playbook, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation Finally, the recovery phase is executed. If the analysts decides to continue with the investigation rather than recover and close the alert, a manual task with CISA official ransomware investigation checklist is provided for further investigation. External resources: MITRE Technique T1486 CISA Ransomware Guide |
| Rapid Breach Response - Set Incident Info | This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout. |
| Rapid IOC Hunting Playbook | Deprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files. |
| Recorded Future CVE Intelligence | CVE enrichment using Recorded Future intelligence |
| Recorded Future CVE Reputation | CVE reputation with Recorded Future SOAR enrichment |
| Recorded Future Detailed Alert example | |
| Recorded Future Domain Intelligence | Domain enrichment using Recorded Future intelligence |
| Recorded Future Domain Reputation | Domain reputation using Recorded Future SOAR enrichment |
| Recorded Future External Usecase | Implements an external usecase for Recorded Future Identity Data |
| Recorded Future File Intelligence | File enrichment using Recorded Future intelligence |
| Recorded Future File Reputation | File reputation using Recorded Future SOAR enrichment |
| Recorded Future IOC Reputation | Entity Reputation using sub-playbooks |
| Recorded Future IP Intelligence | IP Address Enrichment using Recorded Future Intelligence |
| Recorded Future IP Reputation | IP address reputation using Recorded Future SOAR enrichment |
| Recorded Future Threat Assessment | Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing. |
| Recorded Future URL Intelligence | URL Enrichment using Recorded Future intelligence |
| Recorded Future URL Reputation | URL reputation using Recorded Future SOAR enrichment |
| Recorded Future Workforce Usecase | Implements an workforce usecase for Recorded Future Identity Data |
| Recovery Plan | This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks: Unisolate endpoint Restore quarantined file Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Registry Parse Data Analysis | This playbook leverages the RegistryParse automation to perform registry analysis and extract forensic artifacts. The automation includes common registry objects to extract which are useful for analyzing registry, or a user provides registry path to parse. |
| Remediate Message - Agari Phishing Defense | Remediates a given message id. |
| Report Categorization - Cofense Triage v3 | Report Categorization playbook investigates reports that are unprocessed or uncategorized on Cofense Triage as incident alerts in XSOAR and categorizes them based on the severity of the incident. |
| Residents Notification - Breach Notification | This playbook is triggered by a breach notification playbook and is responsible for the resident notification process. |
| Retrieve Asset Details - Lansweeper | Get contextual information of asset based on IP/MAC from Lansweeper. |
| Retrieve Email Data - Agari Phishing Defense | Retrieve Email Data from one of the Integrations of Gmail, Mail Listener v2, EWS O365, Microsoft Graph Mail. |
| Retrieve File from Endpoint - Generic | This playbook retrieves a file sample from an endpoint using the following playbooks: - Get File Sample From Path - Generic - Get File Sample By Hash - Generic v2 |
| Retrieve File from Endpoint - Generic V2 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:' - Get File Sample From Path - Generic v2. - Get File Sample By Hash - Generic v3. |
| Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:' - Get File Sample From Path - Generic v2. - Get File Sample By Hash - Generic v3. |
| RiskIQAsset Enrichment - RiskIQ Digital Footprint | Enriches the "RiskIQAsset" type of indicators with basic information and CVEs detected for the asset, performs a vulnerability scan for "Host" and "IP Address" type of assets, and enriches received information in the context as well as provides the user to add to allow list a list of "IP Address" type of assets. This playbook also enriches the detected CVEs. To select the indicators you want to enrich, go to playbook inputs, choose "from indicators" and set your query. For example type:RiskIQAsset etc. The default playbook query is "type:RiskIQAsset". In case indicators with specific "riskiqassettype" are to be enriched, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators. Supported integrations: - RiskIQ Digital Footprint - Tenable.io - Google Cloud Compute - AWS - EC2 - Okta v2 |
| RSS Create Indicators From Report | The playbook: 1. Extracts indicators from Threat intel reports. 2. Creates relationships between the extracted indicators and the report. 3. Runs enrich indicators command on the extracted indicators. Cortex XSOAR recommends that you configure a job to execute this playbook. 1. Configure a job that will run the RSS Create Indicators From Report playbook. 1. Select the Triggered by delta in feed option. 2. Select the feed on which to run the job. 2. Configure input to the RSS Create Indicators From Report playbook: - From the context data input: Tag name - the indicator will be tagged with this value when the playbook finishes processing and all the indicators are extracted and relationships created. - From the indicators: Create a query to include only new report indicators that were not processed yet. Recommended query: "type:Report -tags:{Tag name configured from the context data input} -tags:in_process". The playbook tags all indicators with the "in_process" tag when it starts running, and removes the tag when the playbook ends. If you want the playbook to run on a specific instance (a specific feed), add the following filter to the query: sourceInstances:"{the selected instance}". Note that if you selected the Triggered by delta in feed option when configuring the Job, the “Run only on new and modified indicators” playbook option is automatically selected. |
| Rubrik Anomaly Incident Response - Rubrik Polaris | This playbook will investigate an anomaly incident ingested by the integration "RubrikPolaris", enrich its data, and perform a remediation according to the incident's object type. |
| Rubrik Data Object Discovery - Rubrik Polaris | Data discovery of the object available in the incident. |
| Rubrik Fileset Ransomware Discovery - Rubrik Polaris | This playbook performs IOC Scan on fileset object. It also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2 |
| Rubrik IOC Scan - Rubrik Polaris | This playbook starts an IOC Scan with the provided IOC values. It can be looped until recoverable snapshots are obtained or the limit to loop is reached. |
| Rubrik Polaris - Anomaly Analysis | Monitor the progress of a Rubrik Radar anomaly event and use Rubrik Sonar to check for data classification hits. |
| Rubrik Poll Async Result - Rubrik Polaris | Poll async result for any asynchronous request made to rubrik. |
| Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris | This playbook performs an IOC Scan based on the provided inputs, search the recoverable snapshot and performs recovery on the searched recoverable snapshot. This playbook also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2 |
| Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris | Use this playbook to recover a virtual machine using the "RubrikPolaris" integration by either exporting or live-mounting a backup snapshot. This playbook also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2 |
| Run Panorama Best Practice Assessment | This playbook runs the Palo Alto Best Practice Assessment checks for a PAN-OS instance. |
| Rundeck-job-execute-Generic | This playbook executes a job and exits when it successfully finishes. |
| Saas Security - Incident Processor | This playbook notifies incidents owner and provides remediation options to Saas Security admin for resolving incidents. |
| SaaS Security - Remediate an Asset | Take a remediation action over an asset: Use this playbook as a sub-playbook to take a remediation action on an asset. Available remediation actions are 1) Remove public sharing, 2) Quarantine, and 3) Restore. This playbook implements polling by continuously running the `saas-security-remediation-status-get` command to get the remediation status for a given asset ID, until the operation completes. The remote action should have the following structure: 1. Initiate the operation - provide the Asset ID and the remediation action. 2. Poll to check if the operation completed. 3. Get the results of the operation. |
| Saas Security - Take Action on the Incident | This sub-playbook will send email notification to the Saas Security Admin for taking remediation action on the incident. |
| SafeBreach - Compare and Validate Insight Indicators | This playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated. |
| SafeBreach - Create Incidents per Insight and Associate Indicators | This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed". |
| SafeBreach - Handle Insight Incident | This playbook is triggered automatically for each SafeBreach Insight incident: (1) Adding insight information (including suggested remediation actions); (2) Assigning it to an analyst to remediate and either “ignore” or “validate.” Validated incidents are rerun with the related SafeBreach Insight and the results are compared to the previous indicator results. The incident is closed once all the indicators are resolved or the analyst “ignores” the incident. Unresolved indicators wait for handling by the analyst. |
| SafeBreach - Process Behavioral Insights Feed | This playbook processes all SafeBreach behavioral indicators. It creates an incident for each SafeBreach Insight, enriched with all the related indicators and additional SafeBreach contextual information. A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. |
| SafeBreach - Process Non-Behavioral Insights Feed | This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated. A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. |
| SafeBreach - Rerun Insights | This is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed". |
| SafeBreach - Rerun Single Insight | This is a sub-playbook that reruns a single insight using a specified Insight Id as input. It is used to run insights one by one iteratively as part of the main rerun playbook - "SafeBreach Rerun Insights". |
| SafeNet Trusted Access - Add to Unusual Activity Group | This playbook adds the user to a group that was created to identify unusual activity. SafeNet Trusted Access policies can be configured to take this into account and provide stronger protection when handling access events from users who are members of the group. The user is added to this group for a configurable period of time. |
| SafeNet Trusted Access - Terminate User SSO Sessions | This playbook terminates user SSO sessions so that upon the next login attempt following the unlocking of the account, authentication is required. |
| SailPoint IdentityIQ Disable User Account Access | Checks if the risk score of an identity exceeds a set threshold of 500 and disables the accounts. |
| SANS - Incident Handler's Handbook Template | This playbook contains the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler's Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations. |
| SANS - Incident Handlers Checklist | This playbook follows the "Incident Handler's Checklist" described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations. |
| SANS - Lessons Learned | This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations. |
| Scan and Isolate - XM Cyber | An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat |
| Scan Assets - Nexpose | Starts a Nexpose scan according to asset IP addresses or host names, and waits for the scan to finish by polling the scan status in pre-defined intervals. |
| Scan Site - Nexpose | Starts a Nexpose scan by site id and waits for the scan to finish by polling its status in pre-defined intervals. |
| Schedule Task and Poll | This playbook will schedule a specified command and monitor for completion by looking for output in context. Make the playbook context shared globally if you have a command that returns to Context automatically and you have a specific key to monitor. The key monitored must be a single field value and not an array. |
| Search And Delete Emails - EWS | This playbook searches EWS to identify and delete emails with similar attributes of a malicious email. |
| Search And Delete Emails - Generic | This playbook searches and delete emails with similar attributes of a malicious email. |
| Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: EWS Office 365 Gmail Agari Phishing Defense |
| Search And Delete Emails - Gmail | This playbook searches Gmail to identify and delete emails with similar attributes to the malicious email. |
| Search Endpoints By Hash - Carbon Black Protection | Hunt for endpoint activity involving hash IOCs, using Carbon Black Protection. |
| Search Endpoints By Hash - Carbon Black Response | Deprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black. |
| Search Endpoints By Hash - Carbon Black Response V2 | Hunt for malicious indicators using Carbon Black |
| Search Endpoints By Hash - CrowdStrike | Deprecated. Use CrowdStrike Falcon instead. |
| Search Endpoints By Hash - Cybereason | Hunt for endpoint activity involving hash, using Cybereason. |
| Search Endpoints By Hash - Generic | Deprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools |
| Search Endpoints By Hash - Generic V2 | Hunt using available tools |
| Search Endpoints By Hash - TIE | Hunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well). Input: Hash (default, takes all deferent hashes from context) Output: All agents that files with "Hash" has been executed on (TIE) * Enrich Agents info from ePO |
| Search For Hash In Sandbox - Generic | This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently supported sandboxes are Falcon X and Wildfire. |
| Send Indicators - Cofense Triage v3 | Send Indicators playbook is used to create or update threat indicators in Cofense Triage that have been identified as malicious or suspicious by the analysis. |
| Send Investigation Summary Reports | This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users. |
| Send Investigation Summary Reports Job | You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports. |
| Sentinel One - Endpoint data collection | # Collect endpoint information based on SentinelOne commands. Input: * Hostname (Default: ${Endpoint.Hostname}) |
| ServiceNow Change Management | If you are using a PAN-OS/Panorama firewall and ServiceNow as a ticketing system this playbook is a perfect match for your change management for firewall process. This playbook is triggered by a fetch from ServiceNow and will help you manage and automate your change management process. |
| ServiceNow CMDB Search | Subplaybook for finding CI records in ServiceNow CMDB. |
| ServiceNow Ticket State Polling | Use ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed. |
| Set RaDark Grid For Compromised Accounts | Set grid for RaDark - Compromised Accounts incidents. |
| Set RaDark Grid For Credit Cards | Set grid for RaDark - Credit Cards incidents. |
| Set RaDark Grid For Hacking Discussions | Set grid for RaDark - Hacking Discussions incidents. |
| Set RaDark Grid For Leaked Credentials | Set grid for RaDark - Leaked Credentials incidents. |
| Set RaDark Grid For Network Vulnerabilities | Set grid for RaDark - Network Vulnerabilities incidents. |
| Set Team Members | This playbook will accept a CSV of usernames and / or a CSV of role names (of which to enumerate for usernames) to add to the incidents team members. The playbook will determine the existing owner and ensure that they are replaced as the owner once complete. |
| Set up a Shift handover meeting | This playbook is used to create an online meeting for shift handover. Currently, this playbook supports Zoom. |
| Shift handover | This playbook is used to set up shift handover meetings with all the accompanying processes such as creating an online meeting, creating a notification in a integrated chat app (for example Slack), creating a SOC manager briefing, and creating a display of the active incidents, team members who are on-call, and team members who are out of the office. By modifying the playbook inputs you can decide whether to activate the Assign Active Incidents to Next Shift and whether a user who is out of the office will be taken into consideration. |
| Slack - General Failed Logins v2.1 | Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies. |
| Social Engineering Domain Enrichment | Enrich a domain and compare against your registered domain for potential social engineering against your organization. |
| Social Engineering Domain Investigation | Enrich and Investigate domains which may present a social engineering threat to your organization. Review before blocking potentially dangerous indicators. |
| SOCRadar Incident | Performs indicator extraction and enrichment from the incident content, calculates the severity level, assigns the incident to a particular analyst, notifies SOCRadar platform for the incident response (to mark it as false positive or resolved) and generates investigation summary report just before closing the investigation in the end. This playbook is executed for the SOCRadar Generic incident type. |
| SolarStorm and SUNBURST Hunting and Response Playbook | This playbook does the following: - Collect indicators to aid in your threat hunting process. - Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). - Retrieve C2 domains and URLs associated with Sunburst. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. - Hunt for the SUNBURST backdoor - Query firewall logs to detect network activity. - Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: - Notify security team to review and trigger remediation response actions. - Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html |
| Splunk Generic | This is a generic playbook to be executed for the Splunk Notable Generic incident type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the incident, notifying the SIEM admin for false positives and more. |
| Splunk Indicator Hunting | This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators. |
| Spring Core and Cloud Function SpEL RCEs | On March 29, 2022, information about a 0-day vulnerability in the popular Java library Spring Core appeared on Twitter. Spring Framework is an extremely popular framework used by Java developers to build modern applications. If you rely on the Java stack, it is very likely that your development teams use Spring. In some cases, a single specially crafted request is enough to exploit the vulnerability. Later, it was discovered that these are two separate vulnerabilities, one in Spring Core and the other in Spring Cloud Function: CVE-2022-22965 - RCE in "Spring Core" is a severe vulnerability, aka Spring4Shell CVE-2022-22963 - RCE in "Spring Cloud Function SpEL" CVE-2022-22947 - RCE in "Spring Cloud Gateway" Spring Core vulnerability requirements: JDK 9 or higher Apache Tomcat as the Servlet container Packaged as WAR spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions Spring Cloud Function unaffected versions: 3.1.7 3.2.3 This playbook will provide you with a first response kit which includes: Hunting Panorama Prisma Cloud Compute XDR XQL queries - set the playbook input RunXQLHuntingQueries to 'True' if you would like the XQL to be executed via the playbook. XDR Alerts - Search for new incidents including one or more of Spring RCEs dedicated Cortex XDR signatures Remediation Mitigations Note: You can execute this playbook using the Incidents view by creating a new incident or by using a dedicated job to schedule the playbook execution. Additional resources: Spring Framework RCE CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild |
| SX - AD - Default AD Exposure Alert | This playbook will run with every Active Directory exposure incident created. The playbook then looks at the incident details and launches the matching playbook by SoarXperts AD Assurance pack. |
| SX - AD - Default Password Policy Misconfig Discovered | This playbook is triggered by the discovery of a misconfigured default password policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - DES Manual Mitigation Steps | This playbook is triggered by the discovery of insecure DES encryption usage by accounts to authenticate to services in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - GPP - Reversible Enc' & Obfuscated passwords | This playbook is triggered by the discovery of a misconfigured group policy reversible encryption and obfuscated passwords in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - GPP Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfigured group policy reversible encryption and obfuscated passwords in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Kerberoasting | This playbook is triggered by the discovery of an exposure allowing adversary initiate a Kerberoasting attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - LLMNR Manual Mitigation Steps | This playbook is triggered by the discovery of LLMNR protocol enabled in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Lockout Policy | This playbook is triggered by the discovery of a misconfigured lockout policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - Lockout Policy Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfigured lockout policy in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - NetBios Manual Mitigation Steps | This playbook is triggered by the discovery of NetBios protocol misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - NTLM Relay Manual Mitigation | This playbook is triggered by the discovery of an exposure allowing adversary initiate an NTLM attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - NTLM Relay NP01 | This playbook is triggered by the discovery of an exposure allowing adversary initiate an NTLM attack. The exposure is a misconfiguration found in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - Password Age & Complexity Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password age and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Age & Length & Complexity Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password age, length and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Age & Length Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password age and length in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Age Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password age in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Complexity Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Length & Complexity Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password length and complexity in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Password Length Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of password length in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - PC - Ping Castle Report | This playbook was written to replace the default "SX - PC PingCastle Report" as the default playbook for the PingCastle integration. It executes the previous playbook and in addition parses the JSON report received from PingCastle and creates incidents based on identified exposures with available playbooks from SoarXperts AD Assurance Pack. |
| SX - AD - Powershell V2 Manual Mitigation Steps | This playbook is triggered by the discovery of PowerShell version 2 misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Powershell Version 2 | This playbook is triggered by the discovery of a misconfiguration around PowerShell version 2 in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - Service Account in Privileged Group Manual Mitigation Steps | This playbook is triggered by the discovery of a misconfiguration of Service Accounts in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - AD - Service Accounts Password Policy | This playbook is triggered by the discovery of a misconfiguration of Service Accounts in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - SMB Signing | This playbook is triggered by the discovery of SMB signing misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure and generates a help html file for further explanation of the risk identified and remediated. |
| SX - AD - SMB Signing Manual Mitigation Steps | This playbook is triggered by the discovery of SMB signing misconfiguration in Active Directory by an auditing tool. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. |
| SX - PC - PingCastle Report | This playbook runs when a new report is sent from PingCastle. It then parses it to json and renders a table. It also puts a download link to the xml report in the war room. |
| Symantec block Email | This playbook will block email address at your email gateway. |
| T1036 - Masquerading | This playbook handles masquerading alerts based on the MITRE T1036 technique. An attacker might leverage Microsoft Windows well-known image names to run malicious processes without being caught. Attacker's Goals: An attacker is attempting to masquerade as standard windows images by using a trusted name to execute malicious code. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion * Manual reset of the user’s password External resources: MITRE Technique T1036 Possible Microsoft process masquerading |
| T1059 - Command and Scripting Interpreter | This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. Most systems come with some kind of built-in command line interface and scripting capabilities. For example, macOS and Linux distributions include some form of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. Attacker's Goals: An attacker can abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in initial access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. An attacker may also execute commands through interactive terminals/shells, as well as utilize various remote services to achieve remote execution. Analysis Due to the nature of this technique and the usage of built-in command line interfaces, the first step of the playbook is to analyze the command line. The command line analysis does the following: - Checks and decodes base64 - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage Investigative Actions: The playbook checks for additional activity using the 'Endpoint Investigation Plan' playbook and utilizes the power of insight alerts. Response Actions After analyzing the data, the playbook's first response action is to contain the threat based on the initial data provided within the alert. In this phase, the playbook will: Isolate the endpoint based on playbook inputs. When the playbook proceeds, it checks for additional activity using the 'Endpoint Investigation Plan' playbook. It then continues with the next stage, which includes, containment and eradication. This phase executes the following containment actions: Automatically isolates the endpoint It then continues with the following eradication actions: * process termination |
| Tag massive and internal IOCs to avoid EDL listing | This playbook tags internal assets and massive IOCs (TLD wildcards and CIDRs) to be avoided by the EDL. The playbook does the following according to indicator type: CIDRs - If the CIDR prefix is larger than the set max prefix it tags it as a `Massive_CIDR` and also with `skip_edl`. TLD Wildcards - If a domainglob is a TLD wildcard (for example, *.net) it will be tagged as `TLD_Wildcard` and also with `skip_edl`. Internal IPs - If an IP is internal and also part of the CIDR configured by the user in the "Internal Assets" list it will be checked as `internal` and tagged with `skip_edl`. Internal Domains - If a domain is a subdomain of the domains configured in the "Internal Assets" list it is checked as `internal` and tagged with `skip_edl`. |
| Tanium - Ask Question | This playbook used generic polling to gets question result. |
| Tanium - Get Saved Question Result | This playbook used generic polling to gets saved question result. |
| Tanium Demo Playbook | This playbook shows how to use automation scripts to interact with Tanium. |
| Tenable.io Scan | Run a Tenable.io scan |
| Threat Hunting - Chronicle | Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them. Supported Integrations: - Chronicle - Whois |
| Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk - Qradar - Pan-os - Cortex data lake - Autofocus |
| TIE - IOC Hunt | Hunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well). Input: Hash (default, takes all deferent hashes from context) Output: All agents that files with "Hash" has been executed on (TIE) * Enrich Agents info from ePO |
| TIM - Add All Indicator Types To SIEM | This playbook runs sub playbooks that send indicators to your SIEM. To select the indicators you want to add, go to playbook inputs, choose “from indicators” and set your query. For example tags:approved_black, approved_white etc. The purpose of the playbook is to send to SIEM only indicators that have been processed and tagged accordingly after an automatic or manual review process. The default playbook query is" (type:ip or type:file or type:Domain or type:URL) -tags:pending_review and (tags:approved_black or tags:approved_white or tags:approved_watchlist)" In case more indicator types need to be sent to the SIEM, the query must be edited accordingly. |
| TIM - Add Bad Hash Indicators To SIEM | This playbook recives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM. |
| TIM - Add Domain Indicators To SIEM | This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM. |
| TIM - Add IP Indicators To SIEM | TIM playbook - This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM. |
| TIM - Add Url Indicators To SIEM | TIM playbook - This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM. |
| TIM - ArcSight Add Bad Hash Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators. |
| TIM - ArcSight Add Domain Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to. |
| TIM - ArcSight Add IP Indicators | This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM. |
| TIM - ArcSight Add Url Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs as well as the field name in the Active list to add to. |
| TIM - Indicator Auto Processing | This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to block list. For example IP indicators that belong to business partners or important hashes we wish to not process. Additional sub playbooks can be added for improving the business logic and tagging according to the user's needs. This playbook doesn't have its own indicator query as it processes indicators provided by the parent playbook query. To enable the playbook, provide the relevant list names in the sub playbook indicators, such as the ApprovedHashList, OrganizationsExternalIPListName, BusinessPartnersIPListName, etc. Also be sure to append the results of additional sub playbooks to Set indicators to Process Indicators for the additional playbooks results to be in the outputs. |
| TIM - Indicators Exclusion By Related Incidents | This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance. |
| TIM - Intel Tracking | Track threat actors and campaigns by uploading threat intelligence in the form of briefs and IOCs. Add notes and find IOCs in related incidents. |
| TIM - Process AWS indicators | This playbook handles the tagging of AWS indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required. |
| TIM - Process Azure indicators | This playbook handles the tagging of Azure indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required. |
| TIM - Process CIDR Indicators By Size | This playbook processes CIDR indicators of both IPV4 and IPV6. By specifying in the inputs the maximum number of hosts allowed per CIDR, the playbook tags any CIDR that exceeds the number as pending_review. If the maximum CIDR size is not specified in the inputs, the playbook does not run. |
| TIM - Process Domain Age With Whois | This playbook compares the domain creation time against a provided time value such as one month ago. The period can be configured within the playbook inputs MinimumAgeOfDomainMonths or MinimumAgeOfDomainHours. The playbook calculates the timestamp for the relevant period and compares it to the domain creation time value provided by Whois. The domains are outputted accordingly if they were created before or after the compared time, respectively. |
| TIM - Process Domain Registrant With Whois | This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain. |
| TIM - Process Domains With Whois | This playbook uses several sub playbooks to process and tag indicators based on the results of the Whois tool. |
| TIM - Process File Indicators With File Hash Type | This playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5. |
| TIM - Process Indicators - Fully Automated | This playbook tags indicators ingested from high reliability feeds. The playbook is triggered due to a Cortex XSOAR job. The indicators are tagged as approved_white, approved_black, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR etc. |
| TIM - Process Indicators - Manual Review | This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B". |
| TIM - Process Indicators Against Approved Hash List | This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash. |
| TIM - Process Indicators Against Business Partners Domains List | This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly. |
| TIM - Process Indicators Against Business Partners IP List | This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly. |
| TIM - Process Indicators Against Business Partners URL List | This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner urls, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner urls. |
| TIM - Process Indicators Against Organizations External IP List | This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses or CIDR, and tags the indicators accordingly. |
| TIM - Process Office365 indicators | This playbook handles the tagging of Office365 indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_white. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required. |
| TIM - QRadar Add Bad Hash Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. |
| TIM - QRadar Add Domain Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. |
| TIM - QRadar Add IP Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. |
| TIM - QRadar Add Url Indicators | This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. |
| TIM - Review Indicators Manually | This playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_black', 'approved_white', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators. |
| TIM - Review Indicators Manually For Whitelisting | This playbook helps analysts manage the manual process of adding indicators from cloud providers, apps, services etc. to an allow list. The playbook indicator query is set to search for indicators that have the 'whitelist_review' tag. The playbooks layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags such as, 'approved_black', 'approved_white', etc. Once the analyst completes the review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'whitelist review' tag from the indicators. |
| TIM - Run Enrichment For All Indicator Types | This playbook performs enrichment on indicators based on playbook query, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. Example queries can be "tags:example_tag" for indicators with a specific tag. For a specific feed name" the query will be "sourceBrands:example_feed". For a specifc reputation the query will be "reputation:None" etc. |
| TIM - Run Enrichment For Domain Indicators | This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. |
| TIM - Run Enrichment For Hash Indicators | This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. |
| TIM - Run Enrichment For IP Indicators | This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. |
| TIM - Run Enrichment For Url Indicators | This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. |
| TIM - Update Indicators Organizational External IP Tag | This playbook checks if an indicator with a tag of organizational_external_ip has been updated and keeps/removes the tag according to the check results. |
| TitaniamProtect | Perform protect/unprotect (encode/decode) operations on one or more incidents. |
| TitaniamRollback | Finds protected incidents matching specified search criteria and runs TitaniamProtect decode operation on incidents found. |
| TitaniamSync | Finds unprotected incidents matching specified search criteria and runs TitaniamProtect encode operation on incidents found. |
| Traps Blacklist File | Deprecated. Use CortexXDR instead. |
| Traps Isolate Endpoint | Deprecated. Use CortexXDR instead. |
| Traps Quarantine Event | Deprecated. Use CortexXDR instead. |
| Traps Retrieve And Download Files | Deprecated. Use CortexXDR instead. |
| Traps Scan Endpoint | Deprecated. Use CortexXDR instead. |
| TrendMicro Malware Alert Playbook | Handles a TrendMicro Malware Alert (After Alet has been classified) This incident was created from the classifier playbook |
| Tufin - Enrich IP Address(es) | Enrich a single IP using SecureTrack. Returns information such as the associated zones, network objects and policies for the address, and if the address is network device. |
| Tufin - Enrich Source & Destination IP Information | Enrich source and destination IP information using SecureTrack. Returns information such as the associated zones, network objects and policies for the addresses, if the addresses are network devices, and a topology map from source to destination. |
| Tufin - Get Application Information from SecureApp | Search SecureApp by application name and retrieve basic application information and all application connections. |
| Tufin - Get Network Device Info by IP Address | Use a device's IP address to gather information about the device, including basic device information, USP zone(s), and policies related to the device. |
| Tufin - Investigate Network Alert | Example Playbook utilizing the Tufin integration to enrich a network alert and perform containment, if needed. Requires the following incident details: Source IP, Destination IP, Destination Ports |
| Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration | Handles incidents triggered from PANW Iot (Zingbox) UI to un-quarantine a device in Cisco ISE. |
| Unisolate Endpoint - Cybereason | This playbook unisolates endpoints according to the hostname that is provided by the playbook input. |
| Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations: - Carbon Black Response - Cortex XDR - Crowdstrike Falcon - FireEye HX - Cybereason - Microsoft Defender For Endpoint |
| Update Or Remove Assets - RiskIQ Digital Footprint | Using various user inputs, this playbook checks if the user wants to update or remove an asset, and performs the respective actions. Supported integration: - RiskIQ Digital Footprint |
| Upload Vulnerability Report to Automox | This sub-playbook takes the entryId of a vulnerability report CSV file and uploads it to Automox for remediation. |
| Uptycs - Bad IP Incident | Get information about processes which open connections to known Bad IP's |
| Uptycs - Outbound Connection to Threat IOC Incident | Get information about connections from IOC incidents. |
| URL Enrichment - Generic | Deprecated. Use "URL Enrichment - Generic v2" playbook instead. Enrich URL using one or more integrations. URL enrichment includes: Verify URL SSL Threat information URL reputaiton Take URL screenshot |
| URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs Threat information * Providing of URL screenshots |
| URL Enrichment - RST Threat Feed | Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs Threat information * Providing of URL screenshots |
| US - Breach Notification | This playbook is triggered by a breach notification incident and then proceeds to the breach notification playbook for the relevant state. DISCLAIMER: Please consult with your legal team before implementing this playbook. |
| Vulnerability Handling - Nexpose | Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools. Before you run this playbook, run the "Vulnerability Management - Nexpose (Job)" playbook. |
| Vulnerability Handling - Qualys | Deprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools. Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook. |
| Vulnerability Handling - Qualys - Add custom fields to default layout | Deprecated. Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout. |
| Vulnerability Management - Nexpose (Job) | Manage assets vulnerabilities using Nexpose. This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. The incidents are created by querying Nexpose for the input assets vulnerability list. You can define the minimum severity (minSeverity) that incidents are created for. Duplicate incidents are not created for the same asset ID and the Nexpose ID. This playbook is a part of a series of playbooks for Nexpose vulnerability management and remediation. For this series of playbooks to run successfully, create a Job and do the following: 1. Assign this playbook to the Job 2. Enter the relevant assets' hostnames in the playbook inputs (comma separated list). 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Nexpose" playbook. |
| Vulnerability Management - Qualys (Job) | Use the latest Qualys report to manage vulnerabilities. This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. The incidents are created from the latest version of the report determined by the report timestamp. You can define the minimum severity (minSeverity) that incidents are created for. Duplicate incidents are not created for the same asset ID and QID. This playbook is a part of a series of playbooks for Qualys vulnerability management and remediation. For this series of playbooks to run successfully, create a Job and do the following: 1. Assign this playbook to the Job 2. Enter the Qualys XML report name into the "Details" field 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Qualys" playbook. |
| Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io | Performs a vulnerability scan for an asset of type "Host" and "IP Address" using Tenable.io integration. Supported integration: - Tenable.io |
| Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
| WhisperGate and HermeticWiper & CVE-2021-32648 | - On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. - On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: - Collect related known indicators from Unit 42, CISA and Malware News blog. - Search for possible vulnerable servers using Xpanse. - Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. - Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| WildFire - Detonate file | Detonate one or more files using the Wildfire integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, PERL, PYTHON, SHELL. |
| Wildfire Detonate and Analyze File | This playbook uploads, detonates, and analyzes files for the Wildfire sandbox. |
| WildFire Malware | This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan. |
| xMatters - Example Conditional Actions | Example playbook showing how to use the Trigger and Wait sub-playbook to fire an event to xMatters and wait for a response from a user. This playbook then inspects the user's chosen response and branches accordingly. |
| xMatters - Wait for Response | Trigger an xMatters workflow to notify a user for a response. |
| Xpanse Incident Handling - Generic | A generic playbook for handling Xpanse issues. The logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically. The phases of this playbook are: 1) Check if assets (IP, Domain or Certificate) associated with the issue are excluded in the exclusions list and optionally, close the incident automatically. 2) Optionally, enrich indicators and calculate the severity of the issue, using sub-playbooks. 3) Optionally, allow the analyst to add associated assets (IP, Domain or Certificate) to the exclusions list. 4) Tag associated assets. 5) Update the status of the issue. |
| ZTAP Alert | This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the incident's indicators. Lastly, it adds comments/logs as Evidence. |
Scripts#
| Name | Description |
|---|---|
| A1000FinalClassification | Calculates A1000 final classification based on A1000 classification and A1000 full reports. |
| AbuseIPDBPopulateIndicators | Extracts IP addresses on block lists from AbuseIPDB, and Populates Indicators accordingly. |
| ActiveUsersD2 | Get active users from a D2 agent and parsed them into context |
| AddDBotScoreToContext | Add DBot score to context for indicators with custom vendor, score, reliability, and type. |
| AddEvidence | Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments) |
| AddKeyToList | Adds/Replaces a key in key/value store backed by an XSOAR list. |
| ADGetUser | Deprecated. Use the ad-get-user command in the Active Directory v2 integration instead.account['Groups'] = demisto.get( Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN). If no filter is provided, the result will show all users. |
| AlgosecCreateTicket | Creates a new FireFlow change request |
| AlgosecGetApplications | Find applications containing network objects related to IP address using BusinessFlow |
| AlgosecGetNetworkObject | Find network objects related to IP address |
| AlgosecGetTicket | Retrieves a FireFlow change request by its ID |
| AlgosecQuery | Performs a batch traffic simulation query using Firewall Analyzer |
| AnalyzeMemImage | Use Volatility to run common memory image analysis commands |
| AnalyzeOSX | Get file and url reputation for osxcollector result. will use VirusTotal for Url checks, and IBM XForce for MD5 checks. maxchecks : for system : system name to run agent on. section : the type check that OSXCollector should run. |
| AppendIfNotEmpty | Append item(s) to the end of the list if they are not empty. |
| AppendindicatorFieldWrapper | A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident. |
| AquatoneDiscover | aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery. |
| ArcannaFeedbackPostProcessing | Arcanna.Ai post-processing script for sending feedback back to Arcanna about the closed incident. Additional modification might be required depending on each Cortex setup. This script is intended to be used as a sample or in conjunction with the Arcanna-Generic-Investigation playbook. |
| ArcherCreateSecurityIncident | This script is used to simplify the process of creating a new record in Archer. You can add fields that you want in the record as script arguments and or in the code and have a newly created record easily. This automation is currently used for Archer application 75 (Security Incidents) but can be altered to any other application by entering another application Id as input and or modifying the default ApplicationId value in the arguments. Another option would be to duplicate this script and adjust it to the new application Id. Please note that if you will change it to work with another application some of the argument defined fields might need to be changed as they belong to application 75. |
| ArcherUpdateSecurityIncident | This script is used to simplify the process of updating a new record in Archer. You can add fields that you want in the record as script arguments and or in the code and have a newly created record easily. This automation fields are currently used for Archer application 75 (Security Incidents) but can be altered to any other application by modifying the fields in the code. Please note that if you will change it to work with another application some of the argument defined fields might need to be changed as they belong to application 75. Another option would be to duplicate this script and adjust it to the new application Id |
| AreValuesEqual | Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. |
| ArrayToCSV | Converts a simple Array into a textual comma separated string |
| AssignAnalystToIncident | Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command |
| AssignAnalystToIncidentOOO | Assigns analysts who are not out of the office to the shift handover incident. Use the ManageOOOusers automation to add or remove analysts from the out-of-office list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| AssignToNextShift | Randomly assigns the incidents to users on call (requires shift management) and users on call. https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-roles/shift-management.html#idf554fd0f-f93b-40cd-9111-1393bf25ac6e Incident Ids should be passed in as a comma separated list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| AssignToNextShiftOOO | Randomly assigns the active incidents to on call analysts (requires shift management). This automation works with the other out-of-office automations to ensure only available analysts are assigned to the active incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| ATDDetonate | Detonate File or URL through McAfee ATD |
| Autoruns | Collect Autoruns items from an endpoint and hashes for each item. Uses a d2 agent to run SysInternals Autoruns. |
| AwsCreateImage | Deprecated. This script is deprecated. Use the AWS-EC2 integration instead. |
| AwsCreateVolumeSnapshot | Deprecated. This script is deprecated. Use the AWS-EC2 integration instead. |
| AwsGetInstanceInfo | Deprecated. Get AWS EC2 instance details |
| AwsRunInstance | Deprecated. This script is deprecated. Use the AWS-EC2 integration instead. |
| AwsStartInstance | Deprecated. This script is deprecated. Use the AWS-EC2 integration instead. |
| AwsStopInstance | Deprecated. This script is deprecated. Use the AWS-EC2 integration instead. |
| Base64Encode | Will encode an input using Base64 format. |
| Base64EncodeV2 | Encodes an input to Base64 format. |
| Base64ListToFile | Converts Base64 file in a list to a binary file and upload to warroom |
| BatchData | This Automation takes in a string of comma separated items and returns a dictionary of with the defined chunk size. |
| BetweenDates | Whether value is within a date range. |
| BetweenHours | Checks whether the given value is within the specified time (hour) range. |
| BinarySearchPy | Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black |
| BlockIP | Deprecated. Blocks IP in configured firewall |
| BMCHelixRemedyforceCreateIncident | This script is used to simplify the process of creating the incident in BMC Helix Remedyforce. The Script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided. |
| BMCHelixRemedyforceCreateServiceRequest | This script is used to simplify the process of creating a service request in BMC Helix Remedyforce. The script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided. |
| BrandImpersonationDetection | Analyzes the forensic data to detect brand impersonation attacks. This script uses the HMRC brand as an example, please modify the attributes associated with your company’s brand. |
| BuildEWSQuery | Returns an EWS query according to the automation's arguments. |
| BuildSlackBlocksFromIndex | Extracts the index.zip and filters new packs since the last run. Builds the slack message for new packs. |
| CalculateEntropy | Calculates the entropy for the given data. |
| CalculateGeoDistance | Compute the distance between two sets of coordinates, in miles. |
| CalculateTimeDifference | Calculate the time difference, in minutes |
| CalculateTimeSpan | Calculates the time span between two dates using Powershell's `New-TimeSpan` command. A timespan with a start date of "2022-04-02T15:42:48" and end date of "2022-04-12T16:55:07" would return the following: Days : 10 Hours : 1 Minutes : 12 Seconds : 19 Milliseconds : 0 Ticks : 8683390000000 TotalDays : 10.0502199074074 TotalHours : 241.205277777778 TotalMinutes : 14472.3166666667 TotalSeconds : 868339 TotalMilliseconds : 868339000 |
| CBAlerts | Get the list of Alerts from Carbon Black Enterprise Response. Supports the same arguments as the cb-alerts command. |
| CBEvents | Returns all events associated with a process query |
| CBLiveFetchFiles | Fetch all of the files from the endpoints where they were found using Cb Live. |
| CBLiveGetFile_V2 | This automation translates an endpoints hostname/IP to the Carbon Black sensor ID. It then opens a session to the endpoint to download the given file paths and closes the session. |
| CBLiveProcessList | Deprecated. No available replacement. |
| CBPApproveHash | Approve/add to allow list a hash in CBEP/Bit9. |
| CBPBanHash | Ban/blacklist a hash in CBEP/Bit9. |
| CBPCatalogFindHash | Search the CBP/Bit9 file catalog for an md5 hash. |
| CBPFindComputer | Find a computer in CBEP/Bit9. |
| CBPFindRule | Find the rule state for a hash value in CBEP/Bit9. |
| CBSensors | List Carbon Black sensors |
| CBSessions | List Carbon Black sessions |
| CBWatchlists | Display all watchlists and their details, queries, etc. |
| CEFParser | Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields. |
| CertificateExtract | Extract fields from a certificate file and return the standard context. |
| CertificateReputation | Enrich and calculate the reputation of a certificate indicator. |
| CertificatesTroubleshoot | Exports all certificate-related information from the Python Docker container and decodes it using RFC. It also retrieves the certificate located in the specified endpoint. |
| ChangeRemediationSLAOnSevChange | Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs. |
| CheckContextValue | This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values. |
| CheckFieldValue | This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. |
| CheckIfSubdomain | Checks whether a given domain is a subdomain of one of the listed domains. |
| CheckPanosVersionAffected | Checks if the given PAN-OS version number is affected by the given list of vulnerabilties from the pan-advisories-get-advisories command. |
| CheckPointDownloadBackup | Downloads the Check Point policy backup to the Cortex XSOAR War Room. |
| CheckpointFWBackupStatus | Connect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation. |
| CheckpointFWCreateBackup | Connect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation. |
| CheckSender | For phishing incidents, check the sender of the email via Pipl search |
| CheckSenderDomainDistance | Get the string distance for the sender from our domain |
| checkValue | Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value. |
| ChronicleAssetEventsForHostnameWidgetScript | Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its hostname is passed as an asset identifier. |
| ChronicleAssetEventsForIPWidgetScript | Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its IP address is passed as an asset identifier. |
| ChronicleAssetEventsForMACWidgetScript | Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its MAC address is passed as an asset identifier. |
| ChronicleAssetEventsForProductIDWidgetScript | Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its product ID is passed as an asset identifier. |
| ChronicleAssetIdentifierScript | Collect all asset identifiers - Hostname, IP address and MAC address in the context. |
| ChronicleDBotScoreWidgetScript | Shows the DBot Score and reputation of the Domain. |
| ChronicleDomainIntelligenceSourcesWidgetScript | Shows the details of sources in the Chronicle Domain Intelligence Sources section of the incident. |
| ChronicleIsolatedHostnameWidgetScript | Notifies if the hostname associated with the ChronicleAsset is isolated or not. |
| ChronicleIsolatedIPWidgetScript | Notifies if the IP address associated with the ChronicleAsset is isolated or not. |
| ChronicleListDeviceEventsByEventTypeWidgetScript | Displays a pie chart of the number of events, categorized by its event type, fetched for all the identifiers of the ChronicleAsset. |
| ChroniclePotentiallyBlockedIPWidgetScript | Notifies if the IP address associated with the ChronicleAsset is potentially blocked or not. |
| CIDRBiggerThanPrefix | Checks whether a given CIDR prefix is bigger than the defined maximum prefix. |
| ClassifierNotifyAdmin | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| CloseInvestigationAsDuplicate | Close the current investigation as duplicate to other investigation. |
| CloseTaskSetContext | Close a task with the closeComplete command, but then also add the "comments" to the incident context. |
| Code42DownloadFile | Gets all departing employees and alerts for each. |
| Code42FileSearch | Gets all departing employees and alerts for each. |
| Code42GetDepartingEmployees | Gets all departing employees. |
| Code42GetHighRiskEmployees | Gets all high risk employees. |
| Code42UsernameSearch | Searches exposure events for the given username. |
| CofenseTriageReportDownload | Download all reports associated with the email address. |
| CofenseTriageThreatEnrichment | Enhancement automation for type indicator, to enrich the value from Cofense Triage. |
| CollectPacksData | This script collects the data of packs with updates. |
| commentsToContext | Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter. |
| CommonD2 | Common code that will be merged into each D2 agent script when it runs |
| CommonServerUserPowerShell | Common user defined code that will be merged into each server script when it runs |
| CommonServerUserPython | Common user defined code that will be merged into each server script when it runs |
| CommonUserServer | Common user defined code that will be merged into each server script when it runs |
| CompareIncidentsLabels | Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| CompareIndicators | Find the differences between two indicators lists. |
| ConferIncidentDetails | Deprecated. Display the incident details retrieved from Confer in a readable format |
| ConferSetSeverity | Deprecated. Set incident severity according to indicators found in an confer alert |
| ConfigureAzureApplicationAccessPolicy | This script grants a user the permissions needed to create a Teams meeting. It connects to MS Teams, creating an application access policy to a chosen application and then grants a user permissions. |
| ConflueraDetectionsCount | Logs detections count |
| ConflueraDetectionsData | Logs detections data ( detection vs risk-contribution ) |
| ConflueraDetectionsDataWarroom | Logs detections data ( detection vs risk-contribution ) |
| ConflueraDetectionsSummary | Logs detections data ( categories of detections ) |
| ConflueraDetectionsSummaryWarroom | Logs detections data ( categories of detections ) |
| ConflueraProgressionsCount | Logs progressions count |
| ConflueraProgressionsData | Logs progressions data ( progression vs risk-score ) |
| ConflueraProgressionsDataWarroom | Logs progressions data ( progression vs risk-score ) |
| ContainsCreditCardInfo | Check if a given value is true. Will return 'no' otherwise |
| ContextContains | This script searches for a value in a context path. |
| ContextFilter | Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it. |
| ContextGetEmails | Gets all email addresses in context, excluding ones given. |
| ContextGetHashes | Gets hashes (MD5,SHA1,SHA256) from context. |
| ContextGetIps | Gets all IP addresses in context, excluding ones given. |
| ContextGetMACAddresses | Gets all MAC addresses in context, excluding ones given. |
| ContextGetPathForString | Searches for string in context and returns context path, returns null if not found. |
| ContextSearchForString | Searches for string in a path in context. If path is null, string will be searched in full context. |
| ConvertDatetoUTC | Converts a date from a different timezone to UTC timezone. |
| ConvertDomainToURLs | Converts Domain(s) to URL(s). |
| ConvertKeysToTableFieldFormat | Convert object keys to match table keys. Use when mapping object/collection to table (grid) field. (Array of objects/collections is also supported). Example: Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true } Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true } |
| ConvertTableToHTML | Converts a given array to an HTML table |
| ConvertTimezoneFromUTC | Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString |
| ConvertXmlFileToJson | Converts XML file entry to JSON format |
| ConvertXmlToJson | Converts XML string to JSON format |
| CopyContextToField | Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| CopyFileD2 | Copy a file from an entry to the destination path on the specified system. This uses the dissolvable agent's HTTPS communication channel rather than scp or other out-of-band methods. Example usage: !CopyFileD2 destpath=/home/sansforensics/collectedbinaries/inv8_suspiciousPE1.exe.evil entryid=21@8 system=Analyst1 |
| CopyLinkedAnalystNotes | Copies the anaylst notes from the integrations and incidents grid. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| CopyNotesToIncident | Copy all entries marked as notes from current incident to another incident. |
| CortexXDRAdditionalAlertInformationWidget | This script retrieves additional original alert information from the context. |
| CortexXDRCloudProviderWidget | This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue. |
| CortexXDRIdentityInformationWidget | This widget displays Cortex XDR identity information. |
| CortexXDRRemediationActionsWidget | This widget displays Cortex XDR remediation action information. |
| CountArraySize | Count an array size |
| CreateArray | Will create an array object in context from given string input |
| CreateCertificate | Creates a public key (.cer file), a private key (.pfx) file, and a Base64 encoded private key to use to authenticate the EWS Extension Online Powershell v2 integration. |
| CreateChannelWrapper | Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both Slack v2 and Microsoft Teams. |
| CreateEDLInstance | Use this automation to create an EDL instance on XSOAR. |
| CreateEmailHtmlBody | This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: - ${incident.labels.Email/from} - ${incident.name} - ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance. |
| CreateFileFromPathObject | This automation is being executed by the "GetFilePathPreProcessing" pre-processing script that collects the paths and names of attachments of an incoming incident, then passes it to this automation that reads the files and creates them in an existing incident |
| CreateHash | Creating a hash of a given input, support sha1, sha256, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html. |
| CreateHashIndicatorWrapper | This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0. |
| CreatePlbkDoc | Purpose: This automation will produce docx file detailing the tasks in the given playbook. It can produce a table or paragraph format of the report. Author: Mahmood Azmat Input1: Name of the playbook (Mandatory) Input2: Format type needed. Table or Paragraph. Paragraph is default. Input3: Name of the docx file that will be produced. Give the full name including the ".docx" extension. (Mandatory) Requirements: This automation requires "Demisto REST API" integration enabled and connected to the XSOAR itself. Automation uses it to read the objects of the playbook. |
| CrowdStrikeApiModule | Common CrowdStrike code that will be appended to each CrowdStrike integration when it is deployed to enable oauth2 authentication automatically. |
| CrowdStrikeStreamingPreProcessing | Pre processing script for CrowdStrike Streaming, will not duplicate incidents(detection events) that have same Host. Will add entry to duplicate(older) incident notifying a duplicate incident was ignored. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| CrowdStrikeUrlParse | Deprecated. Use CrowdStrike Falcon instead. |
| CryptoCurrenciesFormat | Verifies that a crypto address is valid and only returns the address if it is valid. |
| CSVFeedApiModule | Common code that will be appended into each CSV feed integration when it's deployed |
| CuckooDetonateFile | Adds a file to the list of pending tasks. Returns the ID of the newly created task. |
| CuckooDetonateURL | Detonate a URL in Cuckoo sandbox. |
| CuckooDisplayReport | Display the contents of a Cuckoo report file from a war room entry. |
| CuckooGetReport | Get the report for a completed analysis. |
| CuckooGetScreenshot | Detonate the file in Cuckoo sandbox. |
| CuckooTaskStatus | Check the current status of a task in Cuckoo sandbox. |
| CustomContentBundleWizardry | This automation accepts an XSOAR custom content bundle, and either returns a list of file names, or the files you want to the war room. |
| Cut | Cut a string by delimiter and return specific fields. Example ================= input: "A-B-C-D-E" delimiter: "-" fields: "1,5" return: "A-E" |
| cveReputation | Provides severity of CVE based on CVSS score where available |
| CybereasonPreProcessingExample | Preprocessing script to run when fetching Cybereason malops. Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident. |
| CybersixgillActionableAlertStatusUpdate | Updates the Actionable alert status. |
| CYFileRep | Deprecated. This script is deprecated. Use the Cylance integration instead. |
| Cyren-Find-Similar-Incidents | Finds similar incidents by Cyren Case ID This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| Cyren-Show-Threat-Indicators | Displays threat indicators in readable format This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| CyrenCountryLookup | Translates a country code provided by Cyren products to a full country name (English). Uses ISO 3166-1 alpha-2 for the lookup. |
| CyrenThreatInDepthRandomHunt | This script will take a random Cyren Threat InDepth feed indicator and its relationships and create a threat hunting incident for you. The main query parameters for the resulting, internal indicator query are: 1. Seen for the first time by the feed source within the last 7 days. 2. No investigation on it yet. 3. Must have relationships to other indicators. |
| CyrenThreatInDepthRelatedWidget | Shows feed relationship data in a table with the ability to navigate |
| CyrenThreatInDepthRelatedWidgetQuick | Shows limited feed relationship data in a table with the ability to navigate |
| CyrenThreatInDepthRenderRelated | Shows feed relationship data in a table with the ability to navigate |
| D2ActiveUsers | Show local accounts |
| D2Autoruns | Used by the server-side script "Autoruns". Uses d2 agent on endpoint to run SysInternals Autoruns. |
| D2Drop | Drop a file to a target system by providing its path on the server. Use CopyFileD2 instead in most cases. This is a utility agent script to be used inside server scripts. See CopyFileD2 for an example. |
| D2Exec | Execute the command and pack the output back to server |
| D2ExecuteCommand | Run a D2 built-in command on a D2 agent |
| D2GetFile | Get a file from a system using D2 agent. |
| D2GetSystemLog | Copy a log file. Works on Windows and Unix (differently - take a peek at the script itself to see how). |
| D2Hardware | Show system information |
| D2O365ComplianceSearch | Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server. |
| D2O365SearchAndDelete | Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server. |
| D2PEDump | Execute PE Dump on a file that is under /tmp somewhere. Used internally by StaticAnalyze |
| D2Processes | Show running processes |
| D2RegQuery | Use the D2 agent to retrieve the value of the given registry key. |
| D2Rekall | Use the D2 agent to execute Rekall on a system (usually a forensics workstation) and analyze a memory dump file located on that system. |
| D2Services | Show system services |
| D2Users | Show local accounts |
| D2Winpmem | Use the D2 agent to carry the winpmem binary to a system and return the memory dump file to the war room. This usually takes a while, depending on amount of RAM in the target system. |
| DamSensorDown | Pre processing script for Emails from Mcafee DAM, about sensor disconnected. Will ignore second notification, but will process first notification into incidents. |
| DataDomainReputation | Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned. |
| DateTimeToADTime | Converts unix time to AD Integer8 time. This is used in many AD date fields like pwdLastSet |
| DateToTimeStamp | Converts a date to timestamp. |
| DBotAverageScore | Calculates average score for each indicator from context |
| DBotBuildPhishingClassifier | Create a phishing classifier using machine learning technique, based on email content. |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts |
| DBotPredictOutOfTheBoxV2 | Predict phishing incidents using the out-of-the-box pre-trained model. |
| DBotPredictPhishingEvaluation | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPredictPhishingWords | Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. |
| DBotPredictTextLabel | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPredictURLPhishing | Predict phishing URLs using a pre-trained model. |
| DBotPreparePhishingData | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPreProcessTextData | Pre-process text data for the machine learning text classifier. |
| DBotTrainTextClassifier | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotTrainTextClassifierV2 | Train a machine learning text classifier. |
| DBotUpdateLogoURLPhishing | Add, remove, or modify logos from the URL Phishing model. |
| DecodeMimeHeader | Decode MIME base64 headers. |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| DefaultIncidentClassifier | Deprecated. Classify an incident from mail. |
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| DeleteReportedEmail | Use this script to delete a reported phishing email from the mailbox it was reported to |
| DemistoCreateList | Create a new list |
| DemistoGetIncidentTasksByState | Get all tasks for specific incident by the given state. |
| DemistoLeaveAllInvestigations | Leaves all investigations that the user is part of (clears out the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server. |
| DemistoLinkIncidents | Link two or more incidents |
| DemistoLogsBundle | Gets Demisto Log Bundle to war room |
| DemistoSendInvite | Send invitation to join Demisto |
| DemistoUploadFile | Deprecated. Use DemistoUploadFileV2 instead. |
| DemistoUploadFileToIncident | Deprecated. Use the DemistoUploadFileV2 script instead. Copies a file from this incident to the specified incident. The file is uploaded as an attachment to the specified incident’s Summary page, and recorded as an entry in the War Room. |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record |
| DisplayCVEChartScript | Display bar chart based on cves count and trending cves count with the different colors. |
| DisplayEmailHtml | Displays the original email in HTML format. |
| DisplayEmailHtmlThread | Dynamic-section script for 'Email Threads' layout. This script renders all email messages with the thread number specified in the "Email Selected Thread" field and outputs them as a single HTML output. |
| DisplayHTML | Display HTML in the War Room. |
| DisplayIndicatorReputationContent | Display the indicator context object in markdown format in a dynamic section layout |
| DisplayTaggedWarroomEntries | Display warroom entries in a dynamic section which are tagged with 'report' |
| DlpAskFeedback | Sends a message via Slack or MS Teams to the user whose file upload violated DLP policies and triggered the incident. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html |
| DomainReputation | A context script for Domain entities |
| DT | This automation allows the usage of DT scripts within playbooks transformers |
| DumpJSON | Dumps a json from context key input, and returns a json object string result |
| EditServerConfig | Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one. |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| EmailReputation | A context script for Email entities |
| EncodeToAscii | Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII) |
| EntryWidgetCoAHandled | Entry widget that shows the number of techniques that were already handled by the CoA playbooks. |
| EntryWidgetCoATechniquesList | Entry widget that shows the number of techniques that were not yet handled by the CoA playbooks. |
| EntryWidgetPortBasedRules | Entry widget that returns the number of port based rules found by PAN-OS policy optimizer. |
| EntryWidgetUnusedApplications | Entry widget that returns the number of rules with unused applications found by PAN-OS policy optimizer. |
| EntryWidgetUnusedRules | Entry widget that returns the number of unused rules found by PAN-OS policy. optimizer. |
| EnumerateRoles | The script will enumerate any provided role names and output the list of users for each role. |
| EPOFindSystem | Deprecated. Use the "McAfe ePO v2 integration command epo-find-system" instead. Return system info |
| EsmExample | Deprecated. Example of using McAfee ESM (Nitro) with advanced filters |
| Etl2Pcap | Receives an ETL file and converts it to a PCAP file. |
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| ExchangeAssignRole | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExchangeDeleteMail | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExchangeSearchMailbox | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExifRead | Read image files metadata and provide Exif tags |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| ExpanseAggregateAttributionCI | Aggregate entries from ServiceNow CMDB into AttributionCI |
| ExpanseAggregateAttributionDevice | Aggregate entries from multiple sources into AttributionDevice |
| ExpanseAggregateAttributionIP | Aggregate entries from multiple sources into AttributionIP |
| ExpanseAggregateAttributionUser | Aggregate entries from multiple sources into AttributionUser |
| ExpanseEnrichAttribution | This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details |
| ExpanseEvidenceDynamicSection | Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure. |
| ExpanseGenerateIssueMapWidgetScript | This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| ExpansePrintSuggestions | Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner. |
| ExpanseRefreshIssueAssets | Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context. |
| ExportToCSV | Export given array to csv file |
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
| ExtFilter | Advanced Filter. It enables you to make filters with complex conditions. |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| ExtractDomainFromIOCDomainMatchRes | Extracts domain and its details from the Chronicle IOC Domain match response. |
| ExtractDomainFromUrlAndEmail | Extract Domain(s) from URL(s) and/or Email(s) |
| ExtractEmailTransformer | Extracts email addresses from the given value. |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic: - If table has a single column, just create an array of strings from the values - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value - If table has a header row, create a table of objects where attribute names are the headers - If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3... |
| ExtractInbetween | Extract a string from an existing string. |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash * Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| FetchFileD2 | Get a File from using a D2 agent |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room. |
| FileCreateAndUploadV2 | Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room. |
| FileReputation | A context script for hash entities |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| FindEmailCampaign | Find a campaign of emails based on their textual similarity. |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| FindSimilarIncidents | Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| FireEyeApiModule | Common FireEye code that will be appended to each FireEye integration when it is deployed. |
| FireEyeDetonateFile | Detonate File or URL through FireEye |
| ForescoutEyeInspectButtonGetPCAP | Get PCAP of a Forescout EyeInspect incident |
| ForescoutEyeInspectButtonGetVulnerabilityInfo | Get information of a CVE from Forescout EyeInspect CVEs DB. |
| ForescoutEyeInspectButtonHostChangeLog | Get change log of Forescout EyeInspect hosts. |
| FormatACTIURL | Helps to fetch ACTI Intelligence Report/Alert URL and converts it to uuid. |
| FormatContentData | This script formats the value given input from a JSON list into table. |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. |
| ForwardAuditLogsToSplunkHEC | This Automation script uses the XSOAR API to get the audit logs and pushes them to Splunk HEC. Dependencies: SlunkPy and Demisto REST API integrations |
| FPDeleteRule | Deletes a rule in Forcepoint Triton. |
| FPSetRule | Adds (or updates existing) rule in Forcepoint Triton. Preserves order of rules and modifies policy in-place if a rule exists with the exact type and value. |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way Can be used in post-processing flow as well. |
| GeneratePANWIoTDeviceTableQueryForServiceNow | Generates a single query or query list with which to query in ServiceNow. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| GenerateRandomString | Generates random string |
| GenerateRandomUUID | Generates a random UUID (UUID 4). |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| GetAwayUsers | Returns a list of all the users marked as away in Cortex XSOAR. |
| GetBrandDeleteReportedEmail | Gets all the enabled instances of integrations that can be used by the DeleteReportedEmail script, in the output format of a single select field. |
| GetCampaignIncidentsInfo | Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both Slack v2 and Microsoft Teams. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| GetCampaignLowerSimilarityIncidentsIdsAsOptions | Gets the IDs of incidents with lower similarity. Used to fill the optional values of the multi-select "Phishing Campaign Select Campaign Lower Similarity Incidents" incident field. |
| GetCampaignLowSimilarityIncidentsInfo | Gets the campaign incidents with low similarity information as a markdown table. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| GetCiscoISEActiveInstance | Determines which configured Cisco ISE instance is in active/primary state and returns the name of the instance. |
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| GetDomainDNSDetails | Returns DNS details for a domain |
| GetEnabledInstances | Gets all currently enabled integration instances. |
| GetErrorsFromEntry | Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| GetFailedTasks | Gets failed tasks details for incidents based on a query. Limited to 1000 incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| GetFields | Retrieves fields from an object using dot notation |
| GetFilePathPreProcessing | This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident. It should be configured as a pre-processing rule, and the logic for finding the right incident should be added to the code manually. The automation collects the paths and names of the attachments of the incoming incident and passes it to the "CreateFileFromPathObject" automation that is being executed on the existing incident |
| GetIncidentsByQuery | Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/playbooks/automations.html |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| GetIndicatorsByQuery | Gets a list of indicator objects and the associated indicator outputs that match the specified query and filters. The results are returned in a structured data file. |
| GetInstanceName | Given an integration name, returns the instance name. |
| GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor). |
| GetListRow | Parses a list by header and value. |
| getMlFeatures | Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| GetMLModelEvaluation | Finds a threshold for ML model, and performs an evaluation based on it |
| GetNumberOfUsersOnCall | Retrieves the number of users who are currently on call. |
| GetOnCallHoursPerUser | Retrieves the number of on call hours per user. |
| GetRange | Gets specified indexes of a list. |
| GetRolesPerShift | Retrieves the roles that are available per shift. |
| GetShiftsPerUser | Retrieves the number of on-call hours per user. |
| GetStringsDistance | Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm. |
| GetTasksWithSections | Groups all tasks for a specific incident according to the task headers (titles). |
| GetTime | Retrieves the current date and time. |
| GetUsersOnCall | Retrieves users who are currently on call. |
| GetUsersOOO | Retrieves users who are currently out of the office. The script use the OutOfOfficeListCleanup script to remove users from the out-of-office list whose 'off until day' is in the past. |
| GIBIncidentUpdate | This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| GIBIncidentUpdateIncludingClosed | This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| GLPIIncidentStatus | populates the value of the GLPI Ticket State field and display it in a layout widget. |
| GoogleappsRevokeUserRole | Deprecated. Deletes a role assignment. |
| GoogleAuthURL | Deprecated. This script is deprecated. The demistobot endpoint is no longer supported. |
| GrrGetFiles | Downloads files from specified machine without requiring approval |
| GrrGetFlows | Lists flows launched on a given client |
| GrrGetHunt | Renders hunt's summary |
| GrrGetHunts | Renders list of available hunts |
| GrrSetFlows | Starts a flow on a given client with given parameters |
| GrrSetHunts | Handles hunt creation request |
| GSuiteApiModule | Common G Suite code that will be appended to each Google/GSuite integration when it is deployed. |
| HashIncidentsFields | Hash fields from the incident list. Search for incidents by arguments with an option to hash some of its fields. |
| HelloWorldPremiumScript | Hello World Premium Script |
| HelloWorldScript | Hello World Script |
| Hey | Use rakyll/hey to test a web application with a load of requests. |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
| HighlightWords | Highlight words inside a given text. |
| http | Sends http request. Returns the response as json. |
| HTTPFeedApiModule | Common HTTP feed code that will be appended into each HTTP feed integration when it's deployed |
| HTTPListRedirects | List the redirects for a given URL |
| HttpV2 | Sends a HTTP request with advanced capabilities |
| IAMApiModule | Common code that will be appended into each IAM integration when it's deployed. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| If-Then-Else | A transformer for simple if-then-else logic. |
| ImpSfListEndpoints | The endpoints list request enables a client application to receive a list of all managed and unmanaged endpoints, with their basic details. This list can then be externally filtered or searched by the application to identify individual endpoints that might require action. For any such endpoint, the application can obtain fuller details (see Endpoint Details Request below) and if relevant change its enrollment status. |
| ImpSfRevokeUnaccessedDevices | Getting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail |
| ImpSfScheduleTask | Creating a schedule task that's call ImpSfRevokeUnaccessedDevices: Getting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail |
| ImpSfSetEndpointStatus | The endpoint status request enables a client application to enroll an endpoint or revoke its enrollment. This is usually relevant for endpoints with pending status but can be done for endpoints with any current status. The endpoint needs to be specified by its ID, which can have been received from an endpoints list request, from a new endpoint notification, or from any other implemented manual or automated input. |
| IncapGetAppInfo | Use this operation to retrieve a list of all the client applications |
| IncapGetDomainApproverEmail | Use this operation to get the list of email addresses that can be used when adding an SSL site |
| IncapListSites | List sites for an account |
| IncapScheduleTask | This script periodically runs the "IncapWhitelistCompliance" script, which queries the Incapsula monitored websites for white-list compliance (see script for further details). The script then saves the new periodic ID into incident context under the "ScheduleTaskID" key for later use. |
| IncapWhitelistCompliance | Get all sites from Incapsula. For each site, the script, through a ssh server (one that should NOT be in the allow list), make sure the site is compliant ( allow list is being enforced ). If not, a warning mail will be sent to the domain owner. |
| IncidentAddSystem | Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system) |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
| IncidentsCheck-NumberofIncidentsNoOwner | Health Check dynamic section, showing the number of unassigned incidents. |
| IncidentsCheck-NumberofIncidentsWithErrors | Health Check dynamic section, showing the number of failed incidents. |
| IncidentsCheck-NumberofTotalEntriesErrors | Health Check dynamic section, showing the total number of errors in failed incidents. |
| IncidentsCheck-PlaybooksFailingCommands | Health Check dynamic section, showing the top ten commands of the failed incidents in a pie chart. |
| IncidentsCheck-PlaybooksHealthNames | Health Check dynamic section, showing the top ten playbook names of the failed incidents in a bar chart. |
| IncidentsCheck-Widget-CommandsNames | Data output script for populating the dashboard pie graph widget with the top failing incident commands. |
| IncidentsCheck-Widget-CreationDate | Data output script for populating the dashboard line graph widget with the creation date of failing incidents. |
| IncidentsCheck-Widget-IncidentsErrorsInfo | Data output script for populating the dashboard table graph widget with the information about failing incidents. |
| IncidentsCheck-Widget-NumberFailingIncidents | Data output script for populating dashboard number graph widget with the number of failing incident. |
| IncidentsCheck-Widget-NumberofErrors | Data output script for populating the dashboard number graph widget with the number of entries ID errors. |
| IncidentsCheck-Widget-PlaybookNames | Data output script for populating the dashboard bar graph widget with the top failing playbooks name. |
| IncidentsCheck-Widget-UnassignedFailingIncidents | Data output script for populating the dashboard number graph widget with the number of unassigned failing incidents. |
| IncidentState | This script is used as dynamic section to desplay in the layout one of the incident state. |
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| InRange | checks if left side is in range of right side (from,to anotation) e.g. - InRange left=4right=1,8 will return true. |
| InstancesCheck-FailedCategories | Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart. |
| InstancesCheck-NumberofEnabledInstances | Health Check dynamic section, showing the total number of checked integrations. |
| InstancesCheck-NumberofFailedInstances | Health Check dynamic section, showing the total number of failed integrations. |
| IntegrationsCheck-Widget-IntegrationsCategory | Data output script for populating the dashboard pie graph widget with the failing integrations. |
| IntegrationsCheck-Widget-IntegrationsErrorsInfo | Data output script for populating the dashboard table graph widget with the information about failing integrations. |
| IntegrationsCheck-Widget-NumberChecked | Data output script for populating the dashboard number graph widget with the number of checked integrations. |
| IntegrationsCheck-Widget-NumberFailingInstances | Data output script for populating the dashboard number graph widget with the number of failing integrations. |
| IntezerRunScanner | Running the Intezer Endpoint Analysis Scanner |
| InvertEveryTwoItems | This transformer will invert every two items in an array. Example: ["A", "B", "C", "D"] Result: ["B", "A", "D", "C"] If the total of items in the array is an odd number the last item will be removed Example: ["A", "B", "C", "D", "E"] Result: ["B", "A", "D", "C"] If the item is not an array the output will be same passed object. |
| InvestigationDetailedSummaryParse | Parses attacks from context, and shows them according to the MITRE technique they use. |
| InvestigationDetailedSummaryToTable | Shows InvestigationDetailedSummaryParse results as a markdown table |
| InvestigationSummaryParse | Retrieves information from previously run reputation commands and aggregates their results. |
| InvestigationSummaryToTable | Creates a human readable table from ParseMalware context results. |
| iot-security-alert-post-processing | IoT alert post processing script to resolve the alert in IoT security portal using API |
| iot-security-check-servicenow | Close the XSOAR incident if the IoT ServiceNow ticket was closed. This command should be run in a Job. |
| iot-security-get-raci | IoT RACI model script |
| iot-security-vuln-post-processing | IoT vulnerability post processing script to resolve the vulnerability incident in IoT security portal using API |
| IPCalcCheckSubnetCollision | An automation script to return subnet collision result |
| IPCalcReturnAddressBinary | An automation script to return address in binary format |
| IPCalcReturnAddressIANAAllocation | An automation script to return address IANA information |
| IPCalcReturnSubnetAddresses | An automation script to return subnet addresses |
| IPCalcReturnSubnetBroadcastAddress | An Automation Script to return subnet broadcast address |
| IPCalcReturnSubnetNetwork | An Automation Script to return subnet network ID |
| IPReputation | A context script for IP entities |
| IPToHost | Try to get the hostname correlated with the input IP. |
| IqHubLog | Logs detection and progression count with respective links to confluera's IQ-Hub portal in tabular format |
| IronscalesEmailFieldTrigger | Automatically changes email field when choosing classification |
| isArrayItemInList | This automation is for comparing array(list) data of context to existing lists on XSOAR server. You can avoid using loop of sub-playbook. inputArray: the context array/list data listName: the XSOAR system list |
| IsDemistoRestAPIInstanceAvailable | Checks if the provided Demisto REST API instance is available for the XSOAR Simple Dev to Prod workflow. |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| IsGreaterThan | Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number |
| IsIncidentPartOfCampaign | Get the incident campaign's ID for the campaign that is linked to at least one of the given incidents. |
| IsInCidrRanges | Determines whether an IPv4 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4 addresses can be passed comma-delimited and each will be tested. |
| IsIntegrationAvailable | Returns 'yes' if integration brand is available. Otherwise returns 'no' |
| IsInternalHostName | Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix. |
| IsIPInRanges | Returns yes if the IP is in one of the ranges provided, returns no otherwise. |
| IsListExist | Check if list exist in demisto lists. |
| IsMaliciousIndicatorFound | Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found. |
| IsolationAssetWrapper | This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0). |
| IsRFC1918Address | A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network |
| IsTrue | Check if a given value is true. Will return 'no' otherwise |
| IsValueInArray | Indicates whether a given value is a member of given array |
| JiraCreateIssue-example | This script is used to simplify the process of creating a new Issue in Jira. You can add fields that you want in the record as script arguments and or in the code and have a newly created Issue easily. |
| JIRAPrintIssue | Pretty print JIRA issue into the incident war room |
| jmespath | Performs a JMESPath search on an input JSON format, when using a transformer. |
| JoinIfSingleElementOnly | Return the single element in case the array has only 1 element in it, otherwise return the whole array |
| jq | Run JQ Query. Check these links: - https://stedolan.github.io/jq/manual/#Invokingjq - https://jqplay.org/ |
| JSONFeedApiModule | Common code that will be appended into each JSON Feed integration when it's deployed |
| JSONFileToCSV | Script to convert a JSON File waroom output to a CSV file. |
| JSONtoCSV | Convert a JSON warroom output via EntryID to a CSV file. |
| JsonToTable | Accepts a json object and returns a markdown. |
| JsonUnescape | Recursively un-escapes JSON data if escaped JSON is found |
| KillProcessWrapper | A cross-vendor wrapper script that triggers a ‘process kill’ command - i.e executes the proper kill process command according to the vendor: CrowdstrikeFalcon or Cortex XDR. The script will only fail when the kill process action fails for both vendors. |
| LanguageDetect | Language detection based on Google's language-detection. |
| LCMAcknowledgeHost | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMDetectedEntities | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMDetectedIndicators | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMHosts | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMIndicatorsForEntity | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMPathFinderScanHost | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMResolveHost | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LCMSetHostComment | Deprecated. This script is deprecated. LightCyber Magna is no longer available. |
| LessThanPercentage | Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float |
| LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
| ListDeviceEvents | List all of the events discovered within your enterprise on a particular device within 2 hours earlier than the current time. |
| listExecutedCommands | Lists executed commands in War Room |
| ListInstalledContentPacks | This script will show all installed content packs and whether they have an update. |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| LoadJSON | Loads a json from string input, and returns a json object result |
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in. |
| ManageOOOusers | Adds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of office. |
| MapPattern | This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { ".match 1.": "Dest Val1", ".match 2.": "Dest Val2", ".match 3(.)": "\1", "match 4": { "algorithm": "wildcard", "output": "Dest Val4" } } The transformer will return the value matched to a pattern following to the priority. When unmatched or the input value is structured (dict or list), it will simply return the input value. |
| MapRaDarkIncidentDetails | Map details to an RaDark incident. |
| MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
| MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned. If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value". Example 1: input_values = "1,2,3,4" mapper_values = "4,3,2,1" value = 3 Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" mapper_values = "datathere,datahere" value(dict)= { "firstkey": "datahere" } Output would be: { "firstkey": "datathere" } The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
| MarkAsEvidenceBySearch | Search entries in the war room for the pattern text, and mark them as evidence. |
| MarkAsNoteBySearch | Search entries in the war room for the pattern text, and mark as note to the entries found. |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag |
| MarkdownToHTML | Converts Markdown to HTML. |
| MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| MatchIPinCIDRIndicators | Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match). |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument |
| MattermostAskUser | Ask a user a question on Mattermost and expect a response. The response can also close a task (might be conditional) in a playbook. |
| MaxList | Gets the maximum value from list e.g. ["25", "10", "25"] => "25" |
| MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
| MicrosoftApiModule | Common Microsoft code that will be appended into each Microsoft integration when it's deployed |
| MicrosoftAzureStorageApiModule | Common Microsoft Azure Storage code that will be appended into each Microsoft Azure Storage integration. |
| MicrosoftTeamsAsk | Send a team member or channel a question with predefined response options on Microsoft Teams. The response can be used to close a task (might be conditional) in a playbook. |
| MimecastFindEmail | Find an email across all mailboxes, and return the list of mailboxes where the email was found, as well as Yes if the mail was found anywhere or No otherwise. |
| MimecastQuery | query mimecast emails |
| MinList | Gets the minimum value from list e.g. ["25", "10", "25"] => "10" |
| MITREIndicatorsByOpenIncidents | Deprecated. Use FeedMitreAttackv2 instead. |
| MITREIndicatorsByOpenIncidentsV2 | This is a widget script returning MITRE indicators information for top indicators shown in incidents. |
| ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
| NCSCReportDetails | This script generates the report details used in the final report. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NCSCReportDetails_A | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NCSCReportDetails_B | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NCSCReportDetails_C | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NCSCReportDetails_D | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NCSCReportOverview | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| NetwitnessQuery | Deprecated. No available replacement. Performs a query against the meta database |
| NetwitnessSAAddEventsToIncident | This command will add new events to an existing NetWitness SA incident |
| NetwitnessSACreateIncident | Create an incident inside NetWitness SA from a set of NetWitness events. |
| NetwitnessSAGetAvailableAssignees | Returns the available NetWitness SA users to be assigned to incidents |
| NexposeCreateIncidentsFromAssets | Deprecated. No available replacement. Create incidents based on the Nexpose asset ID and vulnerability ID. Duplicate incidents are not created for the same asset ID and vulnerability ID. |
| NexposeEmailParser | Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server. |
| NexposeEmailParserForVuln | Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server. |
| NexposeVulnExtractor | Parse a specific server nexpose response in to a table of vulnerabilities. |
| NGINXApiModule | Common NGINX code that will be appended into each NGINX based integration when it's deployed |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| O365SearchEmails | Search mails in office-365 |
| OnboardingCleanup | Cleanup the incidents and indicators created by OnboardingIntegration This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
| OSQueryBasicQuery | Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/ |
| OSQueryLoggedInUsers | Returns logged in users details from a remote system using OSQuery |
| OSQueryOpenSockets | Returns open sockets details from a remote system using OSQuery |
| OSQueryProcesses | Returns processes details from a remote system using OSQuery |
| OSQueryUsers | Returns Users Table from a remote system using OSQuery |
| Osxcollector | Execute osxcollector on machine, can run ONLY on OSX |
| OutOfOfficeListCleanup | Removes any users from the out-of-office list whose 'off until day' is in the past. |
| PagerDutyAlertOnIncident | Send incident details to pagerduty (useful to include in playbooks) |
| PagerDutyAssignOnCallUser | By default assigns the first on-call user to an investigation (all incidents in the investigation will be owned by the on call user) |
| PanoramaCVECoverage | Check coverage given a list of CVEs. |
| PanoramaSecurityPolicyMatchWrapper | A wrapper script for the panorama-security-policy-match command that receives multiple values for the source, destination, and destination port arguments and performs the policy match for each combination of the inputs. |
| PANOStoCortexDataLakeMonitoring | Verify that all firewalls successfully pushed logs to the Cortex Data Lake for the last 12 hours. It's an easy way to do monitoring of the FW connection to CDL. You can use either a manual list of FW serials or a Panorama integration to get the list of equipment to monitor. |
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
| ParseEmailFiles | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| ParseEmailFilesV2 | (Beta) Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info |
| ParseExcel | The automation takes Excel file (entryID) as an input and parses its content to the war room and context |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic: - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value - If table has a header row, create a table of objects where attribute names are the headers - If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3... |
| ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
| ParseWordDoc | Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents. |
| ParseYAML | Parses a YAML string into context |
| PcapFileExtractor | This automation extracts all possible files from a PCAP file. |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment. |
| PcapMinerV2 | PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller. b) Copy the automation and change the `default timeout` parameter to match your needs. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| PenfieldAssign | PenfieldAssign will use the Penfield.AI integration's penfield-get-assignee command to determine who an incident should be assigned to, then print the selected analyst to the War Room and overwrite the owner property. |
| PerformActionOnCampaignIncidents | Perform user actions such as link, close, etc., on selected incidents from a campaign. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| PHash | Script to create a perceptual hash of an image (or file) stored in the incident. Wrapps https://pypi.org/project/ImageHash/ |
| PortListenCheck | Checks whether a port was open on given host. |
| PrepareArcannaRawJson | Loads a json from string input, and returns a json escaped result. |
| PreprocessEmail | Preprocessing script for email communication layout. This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread". This script runs with elevated permissions. Cortex XSOAR recommends using the built-in RBAC functionality to limit access to only those users requiring access to this script. For more information about the preprocessing rules, refer to: https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing |
| Prints text to war room (Markdown supported) | |
| PrintContext | Pretty-print the contents of the playbook context |
| PrintErrorEntry | Prints an error entry with a given message |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| PrismaCloudAttribution | Recursively extracts specified fields from provided list of assets for Prisma Cloud attribution use case. |
| PTEnrich | Deprecated. No available replacement. Enrich the given IP or domain with metadata, malware, osint. |
| PublishEntriesToContext | Publish entries to incident's context |
| PWEventPcapDownload | Download PCAPs related to the requested events. Supports rate throttling. |
| PWObservationPcapDownload | Download PCAPs related to the specified observations. Supports rate throttling. |
| QRadarCreateAQLQuery | Build QRadar AQL Query. |
| QRadarFetchedEventsSum | This display the amount of fetched events vs the total amount of events in the offense. |
| QRadarMagnitude | This enables to color the field according to the magnitude. The scale is 1-3 green 4-7 yellow 8-10 red |
| QRadarMirroringEventsStatus | This displays the mirrored events status in the offense. |
| QRadarPrintAssets | This script prints the assets fetched from the offense in a table format. |
| QRadarPrintEvents | This script prints the events fetched from the offense in a table format. |
| QualysCreateIncidentFromReport | Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID). Duplicate incidents are not created for the same asset ID and QID. |
| RandomElementFromList | randomly select elements from a list in Python |
| RandomPhotoNasa | This automation script will pull a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it will output an image in markdown format. If it is used anywhere else it will output an image in markdown format and also context data. |
| RapidBreachResponse-CompletedTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of completed tasks. |
| RapidBreachResponse-EradicationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of eradication tasks. |
| RapidBreachResponse-HuntingTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of hunting tasks. |
| RapidBreachResponse-MitigationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of mitigation tasks. |
| RapidBreachResponse-RemainingTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of remaining tasks. |
| RapidBreachResponse-RemediationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of remediation tasks. |
| RapidBreachResponse-TotalIndicatorCount-Widget | Rapid Breach Response dynamic section, will show the updated number of indicators found. |
| RapidBreachResponse-TotalTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of tasks to complete. |
| RapidBreachResponseParseBlog | Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog. |
| ReadFile | Load the contents of a file into context. |
| ReadNetstatFile | Load and return the processes file (generated from the cs-falcon-rtr-list-network-stats command) content. |
| ReadNetstatFileWrapper | This Automation is a wrapper - If the CrowdStrike key is present in context, ReadNetstatFile will be executed and displayed. Else, 'No data on Netstat found' will be displayed. |
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. |
| ReadProcessesFile | Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content. |
| ReadProcessesFileXDR | Return a process list from the XDRIR integration. |
| ReadProcessFileWrapper | This Automation is a wrapper - If PaloAltoNetworksXDR is in context - ReadProcessesFileXDR will be executed and displayed. if CrowdStrike is in context - ReadProcessesFile will be executed and displayed. else 'No data on Process List found' will be displayed. |
| RecordedFutureDomainRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureHashRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureIPRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureURLRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureVulnerabilityRiskList | Deprecated. Use Recorded Future v2 instead. |
| redactindicator | Redactindicator can help you to defang/redact any kind of indicator (IPv4, url, domain and email), IP addresses will be in the dotted representation like 8.8.8[.].8, all domains will be example[.]com. Optional you can define a "searchkey" which does not to be case sensitive, which will be replaced as <REDACTED> |
| RegCollectValues | Collect values for the given registry path from all Windows systems in this investigation. |
| RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters. |
| RegistryParse | This command uses the Registry Parse automation to extract critical forensics data from a registry file. The essential values are specified by the argument. |
| RegPathReputationBasicLists | Check the given registry path against a small block list (score 3), allow list (score 1), and suspicious list (score 2). If the key matches neither, returns an answer of 0. |
| RegProbeBasic | Perform a short probe of the specified system's registry - retrieve and display the values of a list of interesting keys |
| RemoteExec | Execute a command on a remote machine (without installing a D2 agent) |
| RemoveEmpty | Remove empty items, entries or nodes from the array. |
| RemoveFileWrapper | This script allows removing specified files using Cortex XDR, CrowdStrike and Microsoft Defender (Advanced Threat Protection). |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| ResolveShortenedURL | Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. (https://unshorten.me/api) |
| RestartFailedTasks | Use this Script to re-run failed tasks. Run in the same incident after running `GetFailedTasks` for restarting all of the failed tasks or some of them. |
| ReverseList | Reverse a list e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"] This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag) |
| RiskIQDigitalFootprintAssetDetailsWidgetScript | Shows the detailed information of an asset identified as a "RiskIQAsset" type of indicator in the layout of the indicator. |
| RiskIQPassiveTotalComponentsScript | Enhancement script to enrich PassiveTotal components for Domain and IP type of indicators. |
| RiskIQPassiveTotalComponentsWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalHostPairChildrenScript | Enhancement script to enrich PassiveTotal host pair of children for Domain and IP type of indicators. |
| RiskIQPassiveTotalHostPairParentsScript | Enhancement script to enrich PassiveTotal host pair of parents for Domain and IP type of indicators. |
| RiskIQPassiveTotalHostPairsChildrenWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalHostPairsParentsWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalPDNSScript | Enhancement script to enrich PDNS information for Domain and IP type of indicators. |
| RiskIQPassiveTotalPDNSWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalSSLForIssuerEmailWidgetScript | Set widgets to custom layout in Email and RiskIQAsset type of indicators. |
| RiskIQPassiveTotalSSLForSubjectEmailWidgetScript | Set widgets to custom layout in Email and RiskIQAsset type of indicators. |
| RiskIQPassiveTotalSSLScript | Enhancement script to enrich SSL information for Email, File SHA-1 and RiskIQSerialNumber type of indicators. |
| RiskIQPassiveTotalSSLWidgetScript | Set widgets to custom layout in Email, RiskIQSerialNumber and File SHA-1 type of indicators. |
| RiskIQPassiveTotalTrackersScript | Enhancement script to enrich web trackers information for Domain and IP type of indicators. |
| RiskIQPassiveTotalTrackersWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalWhoisScript | Enhancement script to enrich whois information for Domain and Email type of indicators. |
| RiskIQPassiveTotalWhoisWidgetScript | Set widgets to custom layout in Domain, Email and RiskIQ Asset type of indicators. |
| RiskSenseGetRansomewareCVEScript | This script is a helper script of Ransomware Exposure - RiskSense playbook and retrieve information of cves and trending cves from host finding details. |
| RSAArcherManualFetch | This automation creates new incidents from RSA Archer. |
| RSSWidget | Script Widget - RSS Feed. |
| RubrikCDMClusterConnectionState | Shows the Rubrik Radar amount of Files Added. |
| RubrikRadarFilesAdded | Shows the Rubrik Radar amount of Files Added. |
| RubrikRadarFilesDeleted | Shows the Rubrik Radar amount of Files Deleted. |
| RubrikRadarFilesModified | Shows the Rubrik Radar amount of Files Modified. |
| RubrikSonarOpenAccessFiles | Shows the Rubrik Polaris Sonar Open Access Files Count. |
| RubrikSonarSensitiveHits | Shows the Rubrik Polaris Sonar data classification results. |
| RubrikSonarTotalHits | Shows the Rubrik Polaris Sonar Total Hits. |
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SalesforceAskUser | Ask a user a question via Salesforce Chatter and process the reply directly into the investigation. |
| SandboxDetonateFile | Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead. |
| SbDownload | Use the Download API to have a client application download files generated by the Check Point Threat Prevention service: analysis reports, Threat Emulation sandbox outputs, and more. The request must have the ID of the file to download |
| SbQuery | Use the Query API to have a client application look for either the analysis report of a specific file on the Check Point Threat Prevention service databases or the status of a file, uploaded for analysis |
| SbQuota | Use the Quote API to have a client application get the current license and quota status of the API Key that you use |
| SbUpload | Use the Upload API to have a client application request that Check Point Threat Prevention modules scan and analyze a file. When you upload a file to the service, the file is encrypted. It is un-encrypted during analysis, and then deleted |
| ScheduleCommand | Schedule a command to run inside the war room at a future time (once or reoccurring) |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| SCPPullFiles | Take a list of devices and pull a specific file (given by path) from each using SCP |
| SearchIncidentsV2 | Searches Demisto incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SearchIndicatorRelationships | This automation outputs the indicator relationships to context according to the provided query, using the entities, entityTypes, and relationships arguments. All arguments will use the AND operator. For example, using the following arguments entities=8.8.8.8 entities_types=Domain will provide only relationships that the 8.8.8.8 indicator has with indicators of type domain. |
| SearchIndicators | Deprecated. Use the SixgillSearchIndicators script instead. |
| SendAllPANWIoTAssetsToSIEM | Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server. |
| SendAllPANWIoTDevicesToCiscoISE | Gets all available devices from the IoT cloud and updates or creates them on Cisco ISE using the custom attributes. |
| SendAllPANWIoTDevicesToServiceNow | Gets all available devices from the IoT cloud and sends them to the ServiceNow. server |
| SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode. |
| SendEmailReply | Send email reply This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| SendPANWIoTDevicesToCiscoISE | This script takes (as a required argument) custom attributes from PANW IoT cloud and creates or updates endpoints in ISE with the input custom attributes. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SEPCheckOutdatedEndpoints | Check if any endpoints are using an AV definition that is not the latest version. |
| ServiceNowApiModule | Common ServiceNow code that will be appended to each ServiceNow integration when it is deployed to automatically enable OAuth2 authentication. |
| ServiceNowCreateIncident | This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily. |
| ServiceNowIncidentStatus | populates the value of the ServiceNow Ticket State field and display it in a layout widget. |
| ServiceNowQueryIncident | This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily. |
| ServiceNowUpdateIncident | This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily. |
| Set | Set a value in context under the key you entered. |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SetDateField | Sets a custom incident field with current date |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| SetIRProceduresMarkdown | Creates markdown tables based on information from the GetTasksWithSection command. |
| SetMultipleValues | Set multiple keys/values to the context. |
| SetSeverityByScore | Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments. |
| SetTagsBySearch | Search entries in the war room for the pattern text, and set tags to the entries found. |
| SetTime | Fill the current time in a custom incident field |
| ShowCampaignLastIncidentOccurred | Displays the occurrence date of the last campaign incident. |
| ShowCampaignRecipients | Displays the phishing campaign recipients' email addresses and the number of incidents each email address appears in. |
| ShowCampaignSenders | Displays the phishing campaign senders' email addresses and the number of incidents each email address appears in. |
| ShowCampaignSimilarityRange | Displays the similarity range between the incidents that make up the phishing campaign. |
| ShowLocationOnMap | Show indicator geo location on map |
| ShowOnMap | Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| SiemApiModule | Helpers and iteration logic using pydantic for Siem apps. |
| SixgillSearchIndicators | Search for Indicators |
| SlackAsk | Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook. |
| SlackAskV2 | Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook. |
| Sleep | Sleep for X seconds |
| SplitCampaignContext | Splits incidents in the context data to below and above a similarity threshold. If a low similarity incident was already added to the campaign, then it will also be considered in the higher similarity incidents list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SplunkCIMFields | Convert Splunk CIM Fields Dynamic Into Fields Value |
| SplunkEmailParser | Deprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host. |
| SSDeepReputation | Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system. |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash (SSDeep). |
| STA-FetchListContent | This script will get the Unusual Activity Group from "sta_unusual_activity_group" List. |
| STA-PostProcessing | Post processing script to remove the user from the Unusual Activity Group on Close Form. |
| StaticAnalyze | For phishing incidents, iterate on all attachments and run PE dump on each |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format. |
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
| StringContainsArray | Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
| StringifyArray | Return the string encoded with JSON from the whole array |
| StringLength | Returns the length of the string passed as argument |
| StringReplace | Replaces regex match/es in string. Returns the string after replace was preformed. |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command |
| StringToArray | Converts string to array. For example: `http://example.com/?score:1,4,time:55\` will be transformed to `["http://example.com/?score:1,4,time:55"]`. |
| StripAccentMarksFromString | Strip accent marks (diacritics) from a given string. For example: "Niño שָׁלוֹם Montréal اَلسَّلَامُ عَلَيْكُمْ" Will return: "Nino שלום Montreal السلام عليكم" |
| SummarizeEmailThreads | Dynamic-section script for 'Email Threads' layout. This script searches for email threads stored in the Incident context and outputs a table summarizing them. |
| TaniumFilterComputersByIndexQueryFileDetails | Get the requested sensors from all machines where the Index Query File Details match the given filter. E.g. !TaniumFilterQuestionByIndexQueryFileDetails sensors="Computer Name" filter_type=contains filter_value=Demisto limit=5 will be translated the following plain text Tanium question: "Get Computer Name from all machines with any Index Query File Details[, , , , , , *, 5] containing "Demisto"" |
| TAXII2ApiModule | Common TAXII 2 code that will be appended into each TAXII 2 integration when it's deployed |
| TextFromHTML | Extract regular text from the given HTML |
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
| TimeToNextShift | Retrieves the time left until the next shift begins. |
| TitaniamFindIncidents | Search for protected or unprotected incidents. |
| TitaniamProtectIncident | Protect/Unprotect (Code/Decode) incident sensitive information per specified mapping schema. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in. |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| TransformIndicatorToCSFalconIOC | Transform a XSOAR indicator into a Crowd Strike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CS Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command. |
| TransformIndicatorToMSDefenderIOC | Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command. |
| TrendmicroAlertStatus | Get last alerts |
| TrendmicroAntiMalwareEventRetrieve | Get anti malware events |
| TrendMicroClassifier | Classifying TrendMicro incidents |
| TrendMicroGetHostID | Returns a table of hosts and thers TrendMicro IDs |
| TrendMicroGetPolicyID | Returns a table of policies and their TrendMicro IDs |
| TrendmicroHostAntimalwareScan | scan computers by host ID list |
| TrendmicroHostRetrieveAll | Get all hosts info |
| TrendmicroSecurityProfileAssignToHost | Get all security profiles |
| TrendmicroSecurityProfileRetrieveAll | Get all security profiles |
| TrendmicroSystemEventRetrieve | Get system events |
| UnEscapeIPs | Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1 |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo) |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| URLDecode | Converts https:%2F%2Fexample.com into https://example.com |
| URLNumberOfAds | Fetches the numbers of ads in the given url |
| URLReputation | A context script for URL entities |
| UrlscanGetHttpTransactions | Deprecated. No available replacement. |
| URLSSLVerification | Verify URL SSL certificate |
| UserEnrichAD | Enhancement automation for user type indicator, to enrich the user name from Active Directory data |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| ValidateContent | Runs validation and linting using the Demisto SDK on content items, such as integrations, automations and content packs. This automation script is used as part of the content validation that runs as part of the contribution flow. |
| VerifyEnoughIncidents | Check whether a given query returns enough incidents. |
| VerifyHumanReadableContains | Verify given entry contains a string |
| VerifyIntegrationHealth | Checks for existing errors in a given integration. |
| VerifyIPv4Indicator | Verify that the address is a valid IPv4 address. |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| VerifyObjectFieldsList | Verifies that a given object includes all the given fields. |
| VersionEqualTo | Tests whether left side version number is equal to right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VersionGreaterThan | Tests whether left side version number is greater than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VersionLessThan | Tests whether left side version number is less than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VolApihooks | Volatility script for command apihooks |
| Volatility | Execute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command. |
| VolConnscan | Volatility script for command connscan |
| VolDlllist | Volatility script for command ldrmodules |
| VolGetProcWithMalNetConn | Volatility script for getting the list of processes that have connections to ip address with bad reputation. |
| VolImageinfo | Volatility script for command imageinfo |
| VolJson | Execute volatility with command and file as parameters and return output as json. |
| VolLDRModules | Volatility script for command ldrmodules |
| VolMalfind | Volatility script for command ldrmodules |
| VolMalfindDumpAgent | Volatility script for command ldrmodules |
| VolNetworkConnections | Volatility script for finding all the network connections. This script runs through different commands based on the profile provided. |
| VolPSList | Volatility script for command pslist |
| VolRaw | Execute volatility with command and file as parameters and returns raw output from stdout. |
| VolRunCmds | Execute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command. |
| WaitAndCompleteTask | Wait and complete tasks by given status. Used for test playbooks. |
| WaitForKey | A simple loop to inspect the context for a specific key. If the key is not found after "iterations" loops, the script exits with a message. |
| WebScraper | An Automation Script to Web Scrap a URL or HTML Page |
| WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments: - value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }] - field='type' - equalTo='IP' - getField='name' Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'] |
| XBInfo | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBLockouts | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBNotable | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBTimeline | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBTriggeredRules | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBUser | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| YaraScan | Performs a Yara scan on the specified files. |
| ZipFile | Zip a file and upload to war room |
| ZipStrings | Joins values from two lists by index according to a given format. |
| ZTAPBuildTimeline | Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline. |
| ZTAPExtractFields | Extracts ZTAP fields into a format parsable to grab as indicators |
| ZTAPParseFields | Parses ZTAP event fields to display as key/value pairs in a dynamic table. |
| ZTAPParseLinks | Parses ZTAP external links to display in a dynamic table. |
API Reference#
| Name | Description |
|---|---|
| Demisto Class | The object exposes a series of API methods which are used to retrieve and send data to the Cortex XSOAR Server. |
| Common Server Python | Common functions that will be appended to the code of each integration/script before being executed. |
Content Release Notes#
| Name | Date |
|---|---|
| Content Release 22.2.0 | Published on 09 February 2022 |
| Content Release 22.1.0 | Published on 24 January 2022 |
| Content Release 21.12.1 | Published on 21 December 2021 |
| Content Release 21.12.0 | Published on 07 December 2021 |
| Content Release 21.11.1 | Published on 23 November 2021 |
| Content Release 21.11.0 | Published on 09 November 2021 |
| Content Release 21.10.1 | Published on 26 October 2021 |
| Content Release 21.10.0 | Published on 12 October 2021 |
| Content Release 21.9.1 | Published on 29 September 2021 |
| Content Release 21.9.0 | Published on 14 September 2021 |
| Content Release 21.8.2 | Published on 31 August 2021 |
| Content Release 21.8.1 | Published on 17 August 2021 |
| Content Release 21.8.0 | Published on 03 August 2021 |
| Content Release 21.7.1 | Published on 20 July 2021 |
| Content Release 21.7.0 | Published on 06 July 2021 |
| Content Release 21.6.1 | Published on 22 June 2021 |
| Content Release 21.6.0 | Published on 08 June 2021 |
| Content Release 21.5.1 | Published on 25 May 2021 |
| Content Release 21.5.0 | Published on 11 May 2021 |
| Content Release 21.4.1 | Published on 27 April 2021 |
| Content Release 21.4.0 | Published on 13 April 2021 |
| Content Release 21.3.2 | Published on 30 March 2021 |
| Content Release 21.3.1 | Published on 16 March 2021 |
| Content Release 21.3.0 | Published on 02 March 2021 |
| Content Release 21.2.1 | Published on 16 February 2021 |
| Content Release 21.2.0 | Published on 02 February 2021 |
| Content Release 21.1.1 | Published on 19 January 2021 |
| Content Release 21.1.0 | Published on 05 January 2021 |
Additional archived release notes are available here.