Reference Docs

Find reference documentation for Integrations, Automations, Playbooks and more.

Integrations

Name	Description
1Password	Fetch events about actions performed by 1Password users within a specific account, access and modifications to items in shared vaults, and user sign-in attempts.
1Touch.io's Inventa Connector	Use the Inventa integration to generate DSAR reports within Inventa instance and retrieve DSAR data for the XSOAR.
Abnormal Security	Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies.
Abnormal Security Event Collector	Abnormal Security Event Collector integration for XSIAM.
Absolute	Absolute is an adaptive endpoint security solution that delivers device security, data security, and asset management of endpoints.
abuse.ch SSL Blacklist Feed	The SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has seen in the past 30 days and identified as being associated with a malicious SSL certificate.
AbuseIPDB	Central repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration.
Acalvio ShadowPlex	Acalvio ShadowPlex is a comprehensive Autonomous Deception Platform that offers Advanced Threat Detection, Investigation and Response capabilities.
Accenture CTI (Deprecated)	Deprecated. Use Accenture CTI v2 instead.
Accessdata (Deprecated)	Deprecated. Use Exterro FTK instead.
ACTI Feed (Deprecated)	Deprecated. Use Accenture CTI Feed instead.
ACTI Indicator Feed	Fetches indicators from a ACTI feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family (each of these are an integration parameter).
ACTI Indicator Query	ACTI provides intelligence regarding security threats and vulnerabilities.
ACTI Vulnerability Query	ACTI provides intelligence regarding security threats and vulnerabilities.
Active Directory Authentication	Authenticate using Active Directory.
Active Directory Query v2	The Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).
ActiveMQ	Integration with ActiveMQ queue.
Admin By Request	AdminByRequest is a Privileged Access Management (PAM) solution that enables secure, temporary elevation to local admin rights.
Aella Star Light	Aella Star Light Integration
Agari Phishing Defense	Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business.
Aha	Use the Aha! integration to list and manage Cortex XSOAR features from Aha.
Akamai WAF	Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features. This is the modified version where a new command "akamai-update-network-list-elements" was added by the SA.
Akamai WAF SIEM	Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
Alexa Rank Indicator (Deprecated)	Deprecated. Vendor has declared end of life for this product. No available replacement.
Alexa Rank Indicator v2 (Deprecated)	Deprecated. Vendor has declared end of life for this product. No available replacement.
AlgoSec	Algosec AppViz, Firewall Analyzer (AFA) and FireFlow(AFF).
Alibaba Action Trail Event Collector	Alibaba logs event collector integration for XSIAM.
AlienVault OTX TAXII Feed	This integration fetches indicators from AlienVault OTX using a TAXII client.
AlienVault OTX v2	Query Indicators of Compromise in AlienVault OTX.
AlienVault Reputation Feed	Use the AlienVault Reputation feed integration to fetch indicators from the feed.
AlienVault USM Anywhere	Searches for and monitors alarms and events from AlienVault USM Anywhere.
AlphaSOC Network Behavior Analytics	Retrieve alerts from the AlphaSOC Analytics Engine
AlphaSOC Wisdom	DNS and IP threat intelligence via the AlphaSOC platform
AlphaVantage	This is an API to get stock prices etc.
Amazon DynamoDB	Amazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can create database tables that can store and retrieve any amount of data, and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation, and use the AWS Management Console to monitor resource utilization and performance metrics. DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid state disks (SSDs) and automatically replicated across multiple Availability Zones in an AWS region, providing built-in high availability and data durability.
Amazon Security Lake	Amazon Security Lake is a fully managed security data lake service.
AMP	Uses CISCO AMP Endpoint
Analyst1	This integration utilizes Analyst1's system to enrich Demisto indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more.
Anomali Match	Use Anomali Match to search indicators and enrich domains.
Anomali Security Analytics Alerts	The Anomali Security Analytics pack allows users to manage security alerts by interacting directly with the Anomali Security Analytics platform. It supports creating search jobs, monitoring their status, retrieving results, and updating alert statuses or comments, streamlining integration with Palo Alto XSOAR.
Anomali ThreatStream (Deprecated)	Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats
Anomali ThreatStream Feed	Use the Anomali ThreatStream Feed Integration to fetch indicators from the Anomali ThreatStream.
Anomali ThreatStream v2 (Deprecated)	Deprecated. Use Anomali ThreatStream v3 integration instead.
Anomali ThreatStream v3	Use Anomali ThreatStream to query and submit threats.
Ansible ACME	Control Automatic Certificate Management Environment on Linux hosts
Ansible Alibaba Cloud	Manage Alibaba Cloud Elastic Compute Instances
Ansible Automation Platform	Scale IT automation, manage complex deployments, and speed productivity.
Ansible Azure	Manage Azure resources.
Ansible Cisco IOS	Cisco IOS Platform management over SSH.
Ansible Cisco NXOS	Cisco NX-OS Platform management over SSH
Ansible DNS	Manage DNS records using NSUpdate
Ansible HCloud	Manage your Hetzner Cloud environment
Ansible Kubernetes	Manage Kubernetes
Ansible Microsoft Windows	Agentless Windows host management over WinRM.
Ansible OpenSSL	Control OpenSSL on a remote Linux hosts
Ansible VMware	Manage VMware vSphere Server, Guests, and ESXi Hosts
Anthropic Claude	Designed to assist security professionals with security investigations, threat hunting, and anomaly detection, leveraging Anthropic Claude's natural language conversational capabilities.
ANY.RUN	ANY.RUN is a cloud-based sandbox with interactive access.
AnythingLLM	Retrieval Augmented Generation (RAG) with LLM and Vector DB that can be local for full data privacy or cloud-based for greater functionality. APIs are documented at: <Anything LLM URL> /api/docs Product documentation: https://docs.useanything.com/
APIMetricsValidation	This integration runs through all scenarios as defined in the API Metrics expected results guide.
APIVoid	APIVoid wraps up a number of services such as ipvoid & urlvoid
appNovi	Search across meshed network, security, and business data in appNovi to make efficient informed security decisions for risk management and incident response. Gain immediate intelligence on assets, visualize risk and threats across your network, and undertake interactive investigations across the network to reduce MTTR for incident response.
Arcanna.AI	Arcanna integration for using the power of AI in SOC.
ArcSight ESM v2	ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).
ArcSight Logger	ArcSight events logger
ArcSight XML (Deprecated)	Deprecated. Use the ArcSight ESM v2 integration instead.
ArcusTeam	The ArcusTeam API allows the user to inspect connected devices' attack surface. By feeding device identifiers and the software it runs: DeviceTotal will return a map of the device’s attack surface. DeviceTotal was built from the ground up in order to provide complete visibility into connected devices and mitigate 3rd party risk. DeviceTotal can continuously identify & predict such that the connected device security posture is being assessed, prioritized and mitigated effectively.
Arduino	Connects to and controls an Arduino pin system using the network.
ARIA Packet Intelligence	The ARIA Cybesecurity Solutions Software-Defined Security (SDS) platform integrates with Cortex XSOAR to add robustness when responding to incidents. The combination of ARIA hardware, in the form of a Secure Intelligent Adapter (SIA), and software, specifically Packet Intelligence and SDS orchestrator (SDSo), provides the elements required to react instantly when an incident is detected. When integrated with the ARIA solution, you can create playbooks that instruct one or more SIAs to add, modify, or delete rules automatically. These rule changes, which take effect immediately, can block conversations, redirect packets to a recorder or VLAN, or perform a variety of other actions.
Arkime	Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool.
Armis	Use the Armis integration to search alerts and devices, tag and untag devices, and set alert statuses.
Armis Event Collector	Collects alerts, devices and activities from Armis resources.
Armorblox	Armorblox is an API-based platform that stops targeted email attacks, protects sensitive data, and automates incident response.
AsanaConnect	This Integration uses Asana PATs to connect to projects tied to the Asana account.
Ataya Harmony	Use the Ataya Harmony integration to assign client which has not yet under assigned status by client imsi.
Atlassian Confluence Cloud	Atlassian Confluence Cloud allows users to interact with confluence entities like content, space, users, and groups. Users can also manage the space permissions.
Atlassian Confluence Server	Atlassian Confluence Server API.
Atlassian IAM	Integrate with Atlassian's services to execute CRUD operations for employee lifecycle processes.
Atlassian Jira Service Management	Use this integration to manage Jira objects and attach files to Jira objects from Cortex XSOAR.
Atlassian Jira v2 (Deprecated)	Deprecated. Use the Atlassian Jira v3 integration instead
Atlassian Jira v3	Use the Jira integration to manage issues, create Cortex XSOAR incidents from Jira projects, and mirror issues to existing issue incidents in Cortex XSOAR. The integration now supports both OnPrem, and Cloud instances.
AttackIQ Platform	An attack simulation platform that provides validations for security controls, responses, and remediation exercises.
Attivo Botsink	Network-based Threat Deception for Post-Compromise Threat Detection.
AutoFocus Daily Feed (Deprecated)	Deprecated. No available replacement.
AutoFocus Feed	Use the AutoFocus Feeds integration to fetch indicators from AutoFocus.
AutoFocus Tags Feed (Deprecated)	Deprecated. Use Unit 42 Intel Objects Feed instead. Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags.
Automox	Administrate your IT organization from XSOAR with comprehensive commands for the Automox platform.
Awake Security	Network Traffic Analysis.
AWS	The AWS Integration automates management and security configurations across core AWS services - including S3, EC2, IAM, and related resources.
AWS - AccessAnalyzer	Amazon Web Services IAM Access Analyzer.
AWS - ACM	Amazon Web Services Certificate Manager Service (ACM).
AWS - Athena	Amazon Web Services Athena.
AWS - CloudTrail	Amazon Web Services CloudTrail.
AWS - CloudWatchLogs	Amazon Web Services CloudWatch Logs (logs).
AWS - EC2	Amazon Web Services Elastic Compute Cloud (EC2).
AWS - GuardDuty	Amazon Web Services Guard Duty Service (gd).
AWS - GuardDuty Event Collector	Amazon Web Services Guard Duty Service (gd) event collector integration for Cortex XSIAM.
AWS - IAM (user lifecycle management)	Integrate with AWS's services to execute CRUD and Group operations for employee lifecycle processes.
AWS - IAM Identity Center	Amazon Web Services IAM Identity Center.
AWS - Identity and Access Management	Amazon Web Services Identity and Access Management (IAM).
AWS - Lambda	Amazon Web Services Serverless Compute service (lambda).
AWS - Organizations	Manage Amazon Web Services accounts and their resources.
AWS - Route53	Amazon Web Services Managed Cloud DNS Service.
AWS - S3	Amazon Web Services Simple Storage Service (S3).
AWS - Security Hub	Amazon Web Services Security Hub Service.
AWS - SNS	Amazon Web Services Simple Notification Service (SNS).
AWS - SQS	Amazon Web Services Simple Queuing Service (SQS).
AWS - System Manager	AWS Systems Manager is the operations hub for your AWS applications and resources and a secure end-to-end management solution for hybrid cloud environments that enables safe and secure operations at scale.
AWS Feed	Use the AWS feed integration to fetch indicators from the feed.
AWS Network Firewall	AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.
AWS Sagemaker	AWS Sagemaker - Demisto Phishing Email Classifier.
Aws Secrets Manager	AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services.
AWS Security Hub Event Collector	An XSIAM event collector integration for AWS Security Hub.
AWS Simple Notification Service (AWS SNS)	Use AWS SNS to send notifications to XSOAR.
AWS-EKS	The AWS EKS integration allows for the management and operation of Amazon Elastic Kubernetes Service (EKS) clusters.
AWS-SNS-Listener	Amazon Simple Notification Service (SNS) is a managed service that provides message delivery from publishers to subscribers.
AWS-WAF	Amazon Web Services Web Application Firewall (WAF).
Axonius	This integration is for fetching information about assets in Axonius.
Azure Active Directory Applications	Use the Azure Active Directory Applications integration to manage authorized applications.
Azure Active Directory Groups	Microsoft Graph Groups enables you to create and manage different types of groups and group functionality according to your requirements.
Azure Active Directory Identity And Access	Use the Azure Active Directory Identity And Access integration to manage roles and members.
Azure Active Directory Identity Protection (Deprecated)	Deprecated. Use Microsoft Graph Identity and Access instead.
Azure Active Directory Users	Unified gateway to security insights - all from a unified Microsoft Graph User API.
Azure AD Connect Health Feed	Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.
Azure Compute v2	Create and Manage Azure Virtual Machines.
Azure Data Explorer	Use the Azure Data Explorer integration to collect and analyze data inside Azure Data Explorer clusters, and to manage search queries.
Azure Feed	Azure.CloudIPs Feed Integration.
Azure Firewall	Azure Firewall is a cloud-native and intelligent network firewall security service that provides breed threat protection for cloud workloads running in Azure. It's a fully stateful, firewall as a service, with built-in high availability and unrestricted cloud scalability.
Azure Key Vault	Use the Azure Key Vault integration to safeguard and manage cryptographic keys and secrets used by cloud applications and services.
Azure Kubernetes Services	Deploy and manage containerized applications with a fully managed Kubernetes service.
Azure Log Analytics	Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
Azure Network Security Groups	Azure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network.
Azure Resource Graph	Azure Resource Graph integration is designed to allow for executing Azure Resource Graph commands, like querying resource data.
Azure Risky Users	Azure Risky Users provides access to all at-risk users and risk detections in the Azure AD environment.
Azure SQL Management	Microsoft Azure SQL Management Integration manages the Auditing and Threat Policies for Azure SQL.
Azure Storage Container	Create and Manage Azure Storage Container services.
Azure Storage FileShare	Create and Manage Azure FileShare Files and Directories.
Azure Storage Management	Deploy and manage storage accounts and blob services.
Azure Storage Queue	Create and Manage Azure Storage Queues and Messages.
Azure Storage Table	Create and Manage Azure Storage Tables and Entities.
Azure Web Application Firewall	The Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities. It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies, and also to get details of a specific policy or a list of policies.
AzureDevOps	Manage Git repositories in Azure DevOps Services. Integration capabilities include retrieving, creating, and updating pull requests. Run pipelines and retrieve Git information.
Bambenek Consulting Feed	Use the Bambenek Consulting feed integration to fetch indicators from the feed.
Barracuda Reputation Block List (BRBL)	This integration enables reputation checks against IPs from Barracuda Reputation Block List (BRBL).
Bastille Networks	RF monitoring for wireless intrusion detection and policy enforcement. Visit https://www.bastille.net for details.
BeyondTrust - Authorization Requests	Use this integration to handle Beyond Trust authorization requests through XSOAR.
BeyondTrust Password Safe	Unified password and session management for seamless accountability and control over privileged accounts.
BigFix	HCL BigFix Patch provides an automated, simplified patching process that is administered from a single console.
Binalyze AIR	Collect your forensics data under 10 minutes.
Bitbucket	Bitbucket Cloud is a Git-based code and CI/CD tool optimized for teams using Jira.
BitcoinAbuse Feed (Deprecated)	Deprecated. No available replacement.
BitDam	BitDam secure email gateway protects from advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source.
Bitsight for Security Performance Management	Use the "Bitsight for Security Performance Management" Integration to get company guid, details, and findings. This integration also allows to fetch the findings by using the fetch incidents capability.
Bitwarden Password Manager	This integration collects event logs from Bitwarden Password Manager to Cortex XSIAM.
Blocklist_de Feed	Use the Blocklist.de feed integration to fetch indicators from the feed.
BloodHoundEnterprise	Use this integration to fetch audit logs from BloodHound Enterprise as events in Cortex XSIAM.
Bluecat Address Manager	Use the BlueCat Address Manager integration to enrich IP addresses and manage response policies.
Blueliv ThreatCompass	Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe.
Blueliv ThreatContext	The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs.
BMC Discovery	BMC Discovery is a SaaS-based, cloud-native discovery and dependency modeling system that provides instant visibility into hardware, software, and service dependencies across multi-cloud, hybrid, and on-premises environments.
BMC Helix ITSM	BMC Helix ITSM integration enables customers to manage service request, incident, change request, task, problem investigation, known error and work order tickets.
BMC Helix Remedyforce	BMC Helix Remedyforce integration enables customers to create/update service requests and incidents, update statuses, and resolve service requests and incidents with customer notes. This integration exposes standard ticketing capabilities that can be utilized as part of automation & orchestration.
BMC Remedy AR	BMC Remedy AR System is a professional development environment that leverages the recommendations of the IT Infrastructure Library (ITIL) and provides a foundation for Business Service Management (BSM) solutions. For incident management (i.e. create, fetch, update), please refer to Remedy On-Demand integration.
Bonusly	The Bonusly integration is used to interact with the Bonusly platform through the API. Bonusly is an employee recognition platform which enterprises use to for employee recognition.
Box (Deprecated)	Deprecated. Use the Box v2 integration instead.
Box Event Collector	Collect events from Box's logs.
Box v2	Manage Box users.
Brandefense	Branddefense is looking for data for each brand and collecting information and alarming the related brand about dark web finding (credentials, similar domain names etc.) related to the firm.With Brandefense integration it is possible to automate Brand related alarms and breach notifications, actions and much more.
BreachRx	Automate your privacy Incident Response workflow through the BreachRx platform.
BruteForceBlocker Feed	BruteForceBlocker is a Perl script that works with pf – firewall developed by the OpenBSD team, and is also available on FreeBSD from version 5.2. From BruteForceBlocker version 1.2 it is also possible to report blocked IP addresses to the project site and share your information with other users.
C2sec irisk	Understand Your Cyber Exposure as Easy as a Google Search
Cado Response	Automate data collection. Process data at cloud speed. Analyze with purpose.
Camlytics	You can use this integration to automate different Camlytics surveillance analysis actions.
Carbon Black Endpoint Standard Event Collector	Endpoint Standard (formerly called Carbon Black Defense), a Next-Generation Anti-Virus + EDR. Collect Anti-Virus & EDR alerts and Audit Log Events.
Carbon Black Endpoint Standard v2	Endpoint Standard is an industry-leading next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution. Endpoint Standard is delivered through the Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set.
Carbon Black Endpoint Standard v3	Endpoint Standard is an industry-leading next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution. Endpoint Standard is delivered through the Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set.
Carbon Black Enterprise EDR	VMware Carbon Black Enterprise EDR (formerly known as Carbon Black ThreatHunter) is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter).
Carbon Black Live Response Cloud	VMware Carbon Black Endpoint Standard Live Response is a feature that enables security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, and execute and terminate processes.
Celonis	The Celonis Platform offers you a suite of process mining and intelligence features, helping you to integrate your data and then use that data to analyze, improve, and monitor your business performance across key metrics.
Censys v2	Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the internet. Driven by internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, and certificates are configured and deployed.
Centreon	IT & Network Monitoring.
Centrify Vault	Leverage the Centrify Vault integration to create and manage Secrets.
Check Point Dome9 (CloudGuard)	Dome9 integration allows to easily manage the security and compliance of the public cloud.
Check Point Firewall (Deprecated)	Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API
Check Point Harmony Email and Collaboration (HEC)	The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc.
Check Point Harmony Endpoint	Checkpoint Harmony Endpoint provides a complete endpoint security solution built to protect organizations and the remote workforce from today's complex threat landscape.
Check Point Network Detection and Response (Infinity NDR)	Collect network security events from Check Point Infinity NDR for your secured SaaS periodically.
Check Point Threat Emulation (SandBlast)	Uploads files using polling. The service supports Microsoft Office files, as well as PDF, SWF, archives, and executables. Active content will be cleaned from any documents that you upload (Microsoft Office and PDF files only). Queries on existing IOCs, file status, analysis, and reports. Downloads files from the database. Supports both appliance and cloud. Supported Threat Emulation versions are any R80x.
CheckPhish	Check any URL to detect supsicious behavior.
CheckPoint Firewall v2	Use this integration to read information and send commands to the Check Point Firewall server.
Cherwell	Cloud-based IT service management solution
Chronicle	Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.
Chronicle Streaming API	Use the Google Chronicle Backstory Streaming API integration to ingest detections created by both user-created rules and Chronicle Rules as XSOAR incidents.
CimTrak - System Integrity Assurance	The CimTrak integration helps you detect unexpected system/device/config modifications and automatically respond/react to threats.
CIRCL	CIRCL Passive DNS is a database storing historical DNS records from various resources. CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address.
CIRCL CVE Search	Searches for CVE information using circl.lu.
CircleCI	Gets the details of the CircleCI workflows; including the details of the last runs and the jobs, and retrieves the artifacts of the jobs.
CIRCLEHashlookup	CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included and many others are also included. The API is accessible via HTTP ReST API and the API is also described as an OpenAPI. The service is free and served as a best-effort basis.
Cisco AMP (Deprecated)	Deprecated. Use Cisco AMP v2 instead.
Cisco AMP Event Collector	This is the Cisco AMP event collector integration for Cortex XSIAM.
Cisco AMP v2	Cisco Advanced Malware Protection software is designed to prevent, detect, and help remove threats in an efficient manner from computer systems. Threats can take the form of software viruses and other malware such as ransomware, worms, Trojans, spyware, adware, and fileless malware.
Cisco ASA	Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects.
Cisco Email Security Appliance (IronPort) (Deprecated)	Deprecated. Use Cisco Email Security Appliance (IronPort) V2 instead.
Cisco ESA	The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-born threats, such as malware, spam and phishing attempts.
Cisco Firepower	Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
Cisco ISE	Next-generation secure network access.
Cisco Meraki (Deprecated)	Cloud controlled WiFi, routing, and security. Deprecated. Use CiscoMerakiv2 instead.
Cisco Meraki v2	Cisco Meraki is a cloud-managed IT company that simplifies networking, security, communications, and endpoint management. Its platform offers centralized management for devices, networks, and security through an intuitive web interface. Key functionalities include managing organizations, networks, devices, and their licenses, as well as monitoring device statuses and client activities.
Cisco Secure Cloud Analytics (Stealthwatch Cloud)	Protect your cloud assets and private network
Cisco Secure Malware Analytics (Threat Grid) v2	Query and upload samples to Cisco threat grid.
Cisco Secure Malware Analytics Feed	Secure Malware Analytics (formerly Threat Grid) combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.
Cisco Secure Network Analytics (Stealthwatch)	Scalable visibility and security analytics.
Cisco Security Management Appliance	The Security Management Appliance (SMA) is used to centralize services from Email Security Appliances (ESAs) and Web Security Appliances (WSAs).
Cisco ThousandEyes	This is the Cisco ThousandEyes event collector integration for Cortex XSIAM.
Cisco Threat Grid (Deprecated)	Deprecated. Use Cisco Secure Malware Analytics (Threat Grid) v2 instead.
Cisco Umbrella Cloud Security (Deprecated)	Deprecated. Use Cisco Umbrella Cloud Security v2 instead.
Cisco Umbrella Cloud Security v2	Cisco Umbrella is a cloud security platform providing the first line of defense against internet threats. It uses DNS-layer security to block malicious requests before a connection is established, offering protection against malware, ransomware, phishing, and more. It offers real-time reporting, integrates with other Cisco solutions for layered security, and uses machine learning to uncover and predict threats.
Cisco Umbrella Enforcement	Add and remove domains in Cisco OpenDNS.
Cisco Umbrella Investigate	Cisco Umbrella Investigate enables you to research domains, IPs, and URLs observed by the Umbrella resolvers.
Cisco Umbrella Reporting	The Umbrella Reporting v2 API provides visibility into your core network and security activities and Umbrella logs.
Cisco Webex Event Collector	Cisco Webex Event Collector fetches Events and Admin Audit Events and Security Audit Events.
Cisco Webex Feed	Use the Cisco Webex Feed integration to fetch indicators from Webex.
Cisco Webex Teams	Send messages, create rooms and more, via the Cisco Spark API.
Cisco WSA v2	Cisco Secure Web Appliance protects your organization by automatically blocking risky sites and testing unknown sites before allowing users to click on them.
CiscoEmailSecurity (Beta) (Deprecated)	Deprecated. Use Cisco Security Management Appliance instead.
CiscoWSA (Deprecated)	Deprecated. Use CiscoWSAV2 instead.
Clarizen IAM	IAM integration for Clarizen. Handles user account auto-provisioning to Clarizen.
Claroty	Use the Claroty CTD integration to manage assets and alerts.
ClickSend	This is the ClickSend integration for make a phonecall from XSOAR made by Trustnet
Cloaken	Unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries.
CloudConvert	Use the CloudConvert integration to convert your files to the desired format.
Cloudflare Feed	Use the Cloudflare feed integration to fetch indicators from the feed.
Cloudflare WAF	Cloudflare WAF integration allows customers to manage firewall rules, filters, and IP-lists. It also allows to retrieve zones list for each account.
Cloudflare Zero Trust	Cloudflare provides network and security products for consumers and businesses, utilizing reverse proxies for web traffic, edge computing, and a content distribution network to provide content across its network of servers.
CloudShare (Beta)	Cloudshare integration.
CloudShark	Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system.
Code42	Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
Code42 Event Collector	Code42 Insider Risk software solutions provide the right balance of transparency, technology and training to detect and appropriately respond to data risk. Use the Code42EventCollector integration to fetch file events and audit logs.
Cofense Feed	Use the Cofense Feed Integration to fetch indicators from the feed.
Cofense Intelligence (Deprecated)	Deprecated. Use Cofense Intelligence v2 instead. Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses.
Cofense Intelligence v2	Use the Cofense Intelligence integration to check the reputation of domains, URLs, IP addresses, file hashes, and email addresses.
Cofense Triage (Deprecated)	Deprecated. Use the Cofense Triage v2 integration instead.
Cofense Triage v2	Use the Cofense Triage integration to ingest reported phishing indicators.
Cofense Triage v3	The integration uses the Cofense Triage v2 API that allows users to ingest phishing reports as incident alerts and execute commands such as threat indicators, reporters, categorize reports, and more.
Cofense Vision	The Cofense Vision integration provides commands to initiate advanced search jobs to hunt suspicious emails matching IOCs. It also contains commands to quarantine emails, download messages and their attachments, and aids to manage IOCs in the local repository to keep up with upcoming emerging threats.
Cognni	Autonomous detection and investigation of information security incidents and other potential threats.
Cohesity Helios Event Collector	This is the Cohesity Helios Event Collector integration for XSIAM.
CohesityHelios	Integrate with Cohesity Helios services to fetch alerts and take remedial action.
Commvault Cloud	Commvault Cloud provides pre-built integrations, automation workflows, and playbooks to streamline operations, enhance threat intelligence integration, and gain actionable insights through advanced reporting and analytics.
Computer Vision Engine	This integration is processing images or movies and detects objects on them by using Machine Learning. It is using OpenCV with: YOLO COCO.
ConcentricAI	Concentric’s Semantic Intelligence™ solution discovers and protects business critical, unstructured data. We use deep learning to identify risky sharing, inappropriate third party access, assets in the wrong location, mis-classified documents, or lateral movement of data – all without rules or complex upfront configuration.
Confluera	This is the confluera Iq-Hub integration with cortex.
Coralogix	Fetch incidents, search for supporting data and tag interesting datapoints in/from your Coralogix account.
Core Lock	Locking mechanism that prevents concurrent execution of different tasks
Core REST API	Use Core REST APIs.
Cortex Attack Surface Management	Integration to pull assets and other ASM related information.
Cortex Platform - Core	This integration uses the Cortex API to access all the core services and capabilities of the Cortex platform.
Cortex XDR - IOC	Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.
Cortex XDR - IR CTF	Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.
Cortex XDR - XQL Query Engine	Cortex XDR - XQL Query Engine enables you to run XQL queries on your data sources.
Cortex Xpanse	Integration to pull assets and other ASM related information.
Cortex Xpanse Legacy (Deprecated)	Deprecated. Use Cortex Xpanse integration instead. > The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Cortex Xpanse issues. It also leverages Cortex Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Cortex Xpanse Expander and risky flows detected by Cortex Xpanse Behavior.
CounterCraft Deception Director	CounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response.
CounterTack	CounterTack empowers endpoint security teams to assure endpoint protection for Identifying Cyber Threats. Integrating a predictive endpoint protection platform
Covalence For Security Providers	Triggers by any alert from endpoint, cloud, and network security monitoring, with mitigation steps where applicable. Query Covalence for more detail.
Covalence Managed Security	Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps.
Create Test Incidents	CreateIncidents fetches custom incidents that are created manually.
CrowdSec	Identify Malicious IP addresses with the CrowdSec CTI API.
CrowdStrike Falcon	The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
CrowdStrike Falcon Intel (Deprecated)	Deprecated. Use CrowdStrike Falcon Intel v2 integration instead.
CrowdStrike Falcon Intel Feed Actors	The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats (APTs) to understand as much as possible about their known aliases, targets, methods, and more. This integration retrieves indicators from the CrowdStrike Falcon Intel Feed.
CrowdStrike Falcon Intel v2	CrowdStrike Threat intelligence service integration helps organizations defend themselves against adversary activity by investigating incidents, and accelerating alert triage and response.
CrowdStrike Falcon Intelligence Sandbox	Use the CrowdStrike Falcon Intelligence Sandbox integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports.
CrowdStrike Falcon Sandbox (Deprecated)	Deprecated. Use CrowdStrike Falcon Sandbox V2 instead.
CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis)	Fully automated malware analysis using Hybrid Analysis API.
CrowdStrike Falcon Streaming v2	Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events.
CrowdStrike Indicator Feed	Retrieves indicators from the CrowdStrike Falcon Intel Feed.
CrowdStrike Malquery	Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.
CrowdStrike OpenAPI (Beta)	Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc.
Cryptocurrency	Cryptocurrency will help classify Cryptocurrency indicators with the configured score when ingested.
Cryptosim	CRYPTOSIM gets correlations and correlation's alerts. Integration fetchs alerts to incident according to instance.
CSCDomainManager	CSCDomainManager is an integration that supports querying and enriching domains through CSCDomainManager API.
CSV Feed	Fetch indicators from a CSV feed.
CTIX v3	This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data.
CTM360 CyberBlindspot	Take action on incidents derived from CTM360 CBS threat intelligence that is directly linked to your organization.
CTM360 HackerView	External Attack Surface Management platform, which combines automated asset discovery, issue identification / management, remediation guidelines, security ratings and third party risk management.
Cuckoo Sandbox	Malware dynamic analysis sandboxing
CustomIndicatorDemo	This is a demo integration that demonstrates the usage of the CustomIndicator helper class.
CVE Search v2 (Deprecated)	Deprecated. Use CIRCL CVE Search instead.
CybelAngel	CybelAngel collects reports from the CybelAngel platform, which specializes in external attack surface protection and management.
CybelAngel EASM	This integration connects your alerts from CybelAngel.
Cyber Triage	Allows you to conduct a mini-forensic investigation on an endpoint. It pushes a collection tool to the remote endpoint, collects volatile and file system data, and analyzes the data.
CyberArk AIM (Deprecated)	Deprecated. Use the CyberArk AIM v2 integration instead.
CyberArk AIM v2	The CyberArk Application Identity Manager (AIM) provides a secure safe in which to store your account credentials. Use this integration to retrieve the account credentials in CyberArk AIM.
CyberArk EPM Event Collector	CyberArk EPM Event Collector fetches events.
CyberArk Identity Event Collector	This integration collects events from the Idaptive Next-Gen Access (INGA) using REST APIs.
CyberArk PAS	Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.
CyberChef	CyberChef is a web-application developed by GCHQ that's been called the “Cyber Swiss Army Knife”.
Cybereason	Endpoint detection and response to manage and query malops, connections and processes.
Cyberint Alerts	Cyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture.
Cyberint Feed	Use the Cyberint Feed integration to get indicators from the feed.
Cyberpion	The Cyberpion integration allows you to seamlessly receive all your Cyberpion security solution Action Items and supportive information to your Cortex XSOAR.
Cybersixgill Actionable Alerts	Cybersixgill automatically collects intelligence in real-time on all items that appear in the underground sources which we monitor. By using various rules and machine learning models, Cybersixgill automatically correlates these intelligence items with pre defined organization assets, and automatically alerts users in real time of any relevant intelligence items.
Cybersixgill DVE Enrichment	By enriching CVEs with the DVE Score, Cortex XSOAR customers gain deeper visibility with relevant threat intel from the deep and dark web with dynamic attributes such as where they are trending, POC exploit details, and more. Loaded with extra-context, this allows users to accurately understand the real impact of CVEs to effectively prioritize critical vulnerabilities.
Cybersixgill DVE Feed Threat Intelligence (Deprecated)	Deprecated. Use Cybersixgill DVE Feed Threat Intelligence v2 from the Cybersixgill-DVE pack instead.
Cybersixgill DVE Feed Threat Intelligence v2	The Cybersixgill Dynamic Vulnerability Exploit (DVE) Score is based on the most comprehensive collection of vulnerability-related threat intelligence and is the only solution that provides users total context and predicts the immediate risks of a vulnerability based on threat actors’ intent. Cortex XSOAR users can track threats stemming from CVEs that most others define as irrelevant and have a higher probability of being exploited via their Cortex XSOAR dashboard.
CyberTotal	CyberTotal is a cloud-based threat intelligence service developed by CyCraft.
Cyberwatch	Get Assets, CVEs, and Security Issues data from Cyberwatch Vulnerability and Compliance Manager.
CyberX - Central Manager	Updates alerts in CyberX Central Management
Cyble Events	Cyble Events for Vision Users. Must have Vision API access to use the threat intelligence.
Cyble Threat Intel	Cyble Threat Intelligence for Vision Users. Must have access to Cyble TAXII Feed to access the threat intelligence.
CybleEvents v2	Cyble Events for Vision Users. Must have Vision API access to use the threat intelligence.
CyCognito	The CyCognito integration fetches issues discovered by the CyCognito platform, thereby providing users with a view of their organization's internet-exposed attack surface. These issues include identification, prioritization, and recommendations for remediation of the risks faced by the organization. The integration contains commands to query assets and issues detected by the CyCognito platform, and includes a rich dashboard and layout with issue management capability.
CyCognito Feed	The CyCognito Feed integration retrieves the discovered assets from the CyCognito platform based on user-specified filters. A comprehensive dashboard and layout are also included.
Cyjax Feed	The feed allows customers to pull indicators of compromise from cyber incidents (IP addresses, URLs, domains, CVE and file hashes).
Cylance Protect v2	Manage Endpoints using Cylance protect.
Cymptom	Cymptom is a Breach and Attack Simulation solution that revolutionizes the existing approach by transforming attack simulation into a data analysis question. Cymptom agentless scanning brings real-time always-on visibility into the entire security posture.
Cymulate	Multi-Vector Cyber Attack, Breach and Attack Simulation
Cymulate v2	Multi-Vector Cyber Attack, Breach and Attack Simulation.
Cyren Inbox Security	Cyren Inbox Security is an innovative solution that safeguards Office 365 mailboxes in your organization against evasive phishing, business email compromise (BEC), and fraud. This integration imports incidents from Cyren Inbox Security into XSOAR, and includes a playbook for incident resolution.
Cyren Threat InDepth Threat Intelligence Feed	Threat InDepth's actionable and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats faster than other security vendors.
Cyware Threat Intelligence eXchange	This is Cyware Threat Intelligence eXhange(CTIX) integration which enriches IP/Domain/URL/File Data.
Darktrace (Deprecated)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.
Darktrace Admin	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
Darktrace AI Analyst	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Darktrace ASM	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to monitor their attack surface for risks, high-impact vulnerabilities and external threats.\nTo configure the connection to your Darktrace Attack Surface Management instance, you will provide:\n- Server URL of Darktrace ASM instance (ex: darktrace.yourcompany.com) and any necessary proxy information\n- The API Token from the Darktrace ASM instance.
Darktrace Event Collector	Use this integration to fetch model breaches from Darktrace as events in XSIAM.
Darktrace Model Breaches	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
DarktraceEmail	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
DataBee	DataBee, from Comcast Technology Solutions, is a cloud-native security and compliance data fabric that ingests data from multiple disparate feeds and then aggregates, compresses, standardizes, enriches, correlates, and normalizes the data before transferring a full time-series dataset to your data lake of choice.
Datadog Cloud SIEM	Datadog is an observability service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform. The SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack.
Dataminr Pulse	Dataminr Pulse's AI-powered, real-time intelligence integrates into Cortex XSOAR workflows for faster detection and response.
DB2	Integration to provide connectivity to IBM DB2 using the python ibm_db2 library.
DBot Truth Bombs	You thought you know DBot... guess again! Here are some super secrete facts about DBot we bet you didn't know.
DeCYFIR	DeCYFIR API's provides External Threat Landscape Management insights.
DeCYFIR Indicators & Threat Intelligence Feed	DeCYFIR API's provides External Threat Landscape Management insights.
Deep Instinct	The Deep Learning cybersecurity platform, for zero time prevention.
DeepInstinct v3	Deep Instinct is a prevention-first approach to stopping ransomware and other malware using the world's first purpose-built, deep learning cybersecurity framework.
DeepL	This integration uses DeepL (https://www.deepl.com/) to translate text or files
DeHashed	This integration allows you to check if your personal information such as your email, username, or password is being compromised.
DelineaDSV	Manage credentials for applications, databases, CI/CD tools, and services without causing friction in the development process.
DelineaSS	Secret Server is the only fully featured Privileged Account Management (PAM) solution available both on premise and in the cloud. It empowers security and IT ops teams to secure and manage all types of privileged accounts and offers the fastest time to value of any PAM solution.
Dell Secureworks	Provides access to the Secureworks CTP ticketing system
Demisto Lock	Locking mechanism that prevents concurrent execution of different tasks.
Demisto REST API (Deprecated)	Deprecated. Use Core REST API instead.
Devo (Deprecated)	Deprecated. Use the Devo v2 integration instead.
Devo v2	Use the Devo v2 integration to query Devo for alerts, lookup tables, with support of pagination, and to write to lookup tables.
DHS Feed	The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community.
DHS Feed v2	The Cybersecurity and Infrastructure Security Agency’s (CISA’s) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community.
Digital Defense FrontlineVM	Use the Digital Defense FrontlineVM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations.
Digital Guardian	Use Digital Guardian Integration to fetch incidents and to programmatically add or remove entries from watchlists and component lists.
Digital Guardian ARC Event Collector	Digital Guardian ARC event collector.
Digital Shadows	Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web.
Discord	This is the Discord integration for sending Messages from XSOAR to Discord server made by Trustnet
DNSOverHttps	Query dns names over https from Cloudflare or Google
dnstwist	Use the DNSTwist integration to detect typosquatting, phishing, and corporate espionage.
Docker Engine API	The Engine API is an HTTP API served by Docker Engine. It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API.
DomainTools (Deprecated)	Deprecated. Use DomainTools Iris Pack instead.
DomainTools Iris	Together, DomainTools and Cortex XSOAR automate and orchestrate the incident response process with essential domain profile, web crawl, SSL and infrastructure data. SOCs can create custom, automated workflows to trigger Indicator of Compromise (IoC) investigations, block threats based on connected infrastructure, and identify potentially malicious domains before weaponization. The DomainTools App for Cortex XSOAR is shipped with pre-built playbooks to enable automated enrichment, decision logic, ad-hoc investigations, and the ability to persist enriched intelligence.
DomainTools Iris Detect	DomainTools is an essential component in the security stack of mature enterprises and performance-driven security teams.
Doppel	Doppel is a Modern Digital Risk Protection Solution, that detects the phishing and brand cyber attacks on the emerging channels. Doppel scans millions of channels online which includes, social media, domains, paid ads, dark web, emerging channels, etc. Doppel can identify the malicious content and cyber threats, and enables their customers to take down the digital risks proactively. The Cortex XSOAR pack for Doppel mirrors the alerts created by Doppel as Cortex XSOAR incidents. The pack also contains the commands to perform different operations on Doppel alerts.
Dragos Worldview	Custom integration designed to pull in reports from the Dragos Worldview API as incidents.
Drift	Drift integration to fetch, modify, create and delete contacts within the Drift Plattform's Contact API.
Dropbox Event Collector	Collect events from Dropbox's logs.
Druva Event Collector	Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications and data center workloads for Druva Ransomware Recovery customers.
Druva Ransomware Response	Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications and data center workloads for Druva Ransomware Recovery customers.
DShield Feed	This integration fetches a list that summarizes the top 20 attacking class C (/24) subnets over the last three days from Dshield.
Duo	DUO authentication service.
DUO Admin	DUO for admins. Must have access to the admin api in order to use this.
Duo Event Collector	Collects Auth and Audit events for Duo using the API.
DuoAuth	The Duo Auth API lets developers integrate with Duo Security's platform at a low level.
EasyVista	EasyVista Service Manager manages the entire process of designing, managing and delivering IT services.
EclecticIQ Intelligence Center v3	Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships .
EclecticIQ Platform (Deprecated)	Deprecated. No available replacement.
EclecticIQ Platform v2 (Deprecated)	Deprecated. Use EclecticIQ Intelligence Center v3 instead.
Edgescan	Cloud-based continuous vulnerability management and penetration testing solution.
EDL Monitor	This integration can monitor EDLs by emailing the content of an EDL as a zipped file to a specified user at an interval (when run with a job), and/or simply monitor the EDL for availability and email the user if the EDL is not available in other playbooks
Elasticsearch Feed	Fetches indicators stored in an Elasticsearch database.
Elasticsearch v2	Search for and analyze data in real time. Supports version 6 and later.
Email Hippo	This is the Email Hippo integration used to verify email sources as fake emails that were used as part of phishing attacks.
EmailRep.io	Provides email address reputation and reports.
Endace	The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
Envoy IAM	Integrate with Envoy Identity Access Management services to execute CRUD operations to employee lifecycle processes.
European Union Vulnerability Database	API for querying recent vulnerabilities from the ENISA EUVD database.
EWS Extension Online Powershell v2 (Deprecated)	Deprecated. Use EWS Extension Online Powershell v3 instead.
EWS Extension Online Powershell v3	Use the EWS Extension Online Powershell v3 integration to get information about mailboxes and users in your organization. This integration can also retrieve and modify Tenant Allow/Block Lists.
EWS Mail Sender (Deprecated)	Exchange Web Services mail sender. Note: this integration supports Office 365 basic authentication only. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication (oauth2). Deprecated. Use EWS v2 instead
EWS O365	The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 (mail).
EWS v2	Exchange Web Services and Office 365 (mail).
Exabeam Advanced Analytics	The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR.
Exabeam Data Lake	Exabeam Data Lake provides a searchable log management system. Data Lake is used for log collection, storage, processing, and presentation.
Exabeam Security Operations Platform	Exabeam Security Operations Platform offers a centralized and scalable platform for log management.
ExceedLMS IAM	Integrate with Exceed LMS Identity Access Management services to execute CRUD operations to employee lifecycle processes.
Exchange 2016 Compliance Search (Deprecated)	Deprecated. Use EWS V2 instead.
Exodus Intelligence Vulnerabilities	Exodus Intelligence
Expanse (Deprecated)	Deprecated. Use the Expanse v2 integration instead. The Expanse App for Demisto leverages the Expander API to retrieve network exposures and risky flows to create incidents in Demisto. This application also allows for IP, Domain, Certificate, Behavior, and Exposure enrichment, retrieving assets and exposures information drawn from Expanse’s unparalleled view of the Internet.
Expanse Expander Feed (Deprecated)	Deprecated. Use Xpanse Feed integration instead. > Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.
Export Indicators Service (Deprecated)	Deprecated. Use the Generic Export Indicators Service integration instead. Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.
Exterro FTK	Use the Exterro FTK integration to protect against and provide additional visibility into phishing and other malicious email attacks.
ExtraHop Reveal(x)	ExtraHop Reveal(x) for Cortex XSOAR is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
ExtraHop Reveal(x) Event Collector	ExtraHop Reveal(x) is a network detection and response solution that provides complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
F5 Application Security Manager (WAF)	Manages F5 firewall
F5 firewall	Manages F5 firewall rules
F5 LTM	Manages F5 LTM
F5 Silverline	F5 Silverline Threat Intelligence is a cloud-based service incorporating external IP reputation and reducing threat-based communications. By identifying IP addresses and security categories associated with malicious activity, this managed service integrates dynamic lists of threatening IP addresses with the Silverline cloud-based platform, adding context-based security to policy decisions.
FalconHost (Deprecated)	Deprecated. Use the CrowdStrike Falcon integration instead.
Farsight DNSDB	Query Farsight DNSDB service
Farsight DNSDB v2	Farsight Security DNSDB DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts.
Fastly Feed	Use Fastly Feed to get assigned CIDRs and add them to your firewall's allowlist in order to enable using Fastly's services.
Feed MISP Threat Actors	Fetches the MISP threat actor galaxy and builds it into Threat Actor indicators in Cortex Threat Intel Management (TIM).
FeedDomainTools	Real-Time Threat Intelligence Feeds provide data on the different stages of the domain lifecycle: from first-observed in the wild, to newly re-activated after a period of quiet. Newly Active Domains surfaces apex-level domains seen for the first time or after ten or more days of inactivity. Newly Observed Domains surfaces domains that we observe for the first time.
Feedly Feed	Ingest articles with indicators, entities and relationships from Feedly into XSOAR.
Feodo Tracker IP Blocklist Feed	Gets a list of bad IPs from Feodo Tracker.
Fidelis EDR	Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac and Linux OSes for faster threat remediation.
Fidelis Elevate Network	Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration.
FileOrbis	Manage FileOrbis operations.
FireEye (AX Series)	Perform malware dynamic analysis
FireEye Central Management	FireEye Central Management (CM Series) is the FireEye threat intelligence hub. It services the FireEye ecosystem, ensuring that FireEye products share the latest intelligence and correlate across attack vectors to detect and prevent cyber attacks.
FireEye Detection on Demand	FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications, etc. It delivers flexible file and content analysis to identify malicious behavior wherever the enterprise needs it.
FireEye Email Security	FireEye Email Security (EX) series protects against breaches caused by advanced email attacks.
FireEye Endpoint Security (HX) v2	FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook.
FireEye ETP	FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks.
FireEye ETP Event Collector	Use this integration to fetch email security incidents from FireEye ETP as XSIAM events.
FireEye Feed	FireEye Intelligence Feed Integration.
FireEye Helix	FireEye Helix is a security operations platform. FireEye Helix integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.
FireEye HX (Deprecated)	Deprecated. Use FireEyeHX v2 instead.
FireEye HX Event Collector	Palo Alto Networks FireEye HX Event Collector integration for XSIAM.
FireEye iSIGHT	FireEye cyber threat intelligence.
FireEye NX	FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic.
FireMon Security Manager	FireMon Security Manager delivers comprehensive rule lifecycle management to help you manage and automate every stage of the change management process. Workflows can be customized and automated to conform to your security goals and standards, with tools at your disposal to evolve policy and protection over time.
Flashpoint (Deprecated)	Deprecated. Use Flashpoint Ignite instead.
Flashpoint Feed (Deprecated)	Deprecated. Use Flashpoint Ignite Feed instead.
Flashpoint Ignite	Use the Ignite integration to reduce business risk. Ignite allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more.
Flashpoint Ignite Feed	Flashpoint Ignite Feed Integration allows importing indicators of compromise that occur in the context of an event on the Flashpoint Ignite platform which contains finished intelligence reports data, data from illicit forums, marketplaces, chat services, blogs, paste sites, technical data, card shops, and vulnerabilities. The indicators of compromise are ingested as indicators on the Cortex XSOAR and displayed in the War Room using a command.
Forcepoint DLP Event Collector (Beta)	Use this integration to fetch security incidents from Forcepoint DLP as Cortex XSIAM events.
Forcepoint Security Management Center	Forcepoint SMC provides unified, centralized management of all models of Forcepoint engines whether physical, virtual or cloud—across large, geographically distributed enterprise environments.
Forcepoint Web Security	Advanced threat protection with added local management controls.
Forescout CounterACT	Unified device visibility and control platform for IT and OT Security.
Forescout EyeInspect	Delivers flexible and scalable OT/ICS asset visibility.
Fortanix DSM	Manage Secrets and Protect Confidential Data using Fortanix Data Security Manager
FortiAuthenticator	This integration allows you to manage the user configuration on FortiAuthenticator.
FortiGate	FortiGate provides flawless convergence that can scale to any location: remote office, branch, campus, data center, and cloud. FortiGate always delivered on the concept of hybrid mesh firewalls with FortiManager for unified management and consistent security across complex hybrid environments. The Fortinet FortiOS operating system provides deep visibility and security across a variety of form factors.
FortiMail	FortiMail is a comprehensive email security solution by Fortinet, offering advanced threat protection, data loss prevention, encryption, and email authentication to safeguard organizations against email-based cyber threats and protect sensitive information.
FortiManager	FortiManager is a single console central management system that manages Fortinet devices.
FortiSandbox (Deprecated)	FortiSandbox integration is used to submit files to FortiSandbox for malware analysis and retrieving the report of the analysis. It can also provide file rating based on hashes for already scanned files. Deprecated. Use FortiSandboxv2 instead.
FortiSandbox v2	FortiSandbox is an advanced security tool that goes beyond standard sandboxing. It combines proactive mitigation, enhanced threat detection, and in-depth reporting, using Fortinet's dynamic antivirus technology, dual-level sandboxing, and FortiGuard cloud integration to counter advanced threats. It effectively detects viruses, Advanced Persistent Threats (APTs), and malicious URLs, integrating seamlessly with existing Fortinet devices like FortiGate and FortiMail for comprehensive network protection.
FortiSIEM	Search and update events of FortiSIEM and manage resource lists.
FortiSIEM v2	Use FortiSIEM v2 to fetch and update incidents, search events and manage watchlists of FortiSIEM.
Fortiweb VM	Fortiweb VM integration allows to manage WAF policies and block cookies, URLs, and host names.
FraudWatch	Manage incidents via the Fraudwatch API. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management & monitoring, as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse.
Freshdesk	The Freshdesk integration allows you to create, update, and delete tickets; reply to and create notes for tickets as well as view Groups, Agents and Contacts.
Freshworks Freshservice	Freshservice is a service management solution that allows customers to manage service requests, incidents, change requests tasks, and problem investigation.
FTP	FTP integration to download or upload files to a remote FTP server. Please note that FTP transfer is insecure. Please use it with care.
FullHunt	Cortex XSOAR integration with FullHunt.io API
G Suite Auditor	G Suite Auditor is an integration that receives Audit logs from G Suite's different applications - admin, drive, calender, and more.
G Suite Security Alert Center	G Suite Security Alert Center allows users to fetch different alert types such as Suspicious login, Device compromised, Leaked password, and more. Users can delete or recover a single alert or a batch of alerts and retrieve the alert's metadata. This integration allows users to provide feedback for alerts and fetch existing feedback for a particular alert.
Gamma	Query and update violations in Gamma.
GCenter	This integration allows, via about twenty commands, to interact with the GCenter appliance via its API.
GCenter 103	This integration fetch events generated by the GCenter appliance.
GCP Whitelist Feed (Deprecated)	Deprecated. Use the Google IP Ranges Feed integration instead.
GCP-IAM	Manage identity and access control for Google Cloud Platform resources.
Gem	Use Gem alerts as a trigger for Cortex XSOAR’s custom playbooks, to automate response to specific TTPs.
Generic API Event Collector (Beta)	Collect logs from 3rd party vendors using API.
Generic Export Indicators Service	Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.
Generic SQL	Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, Oracle, Teradata and Trino.
Generic Webhook	The Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration.
GenericAPICall	Integration version of the httpv2 automation used to send HTTP requests for API calls to endpoints not associated with an existing XSOAR integration.
Genetec Security Center Event Collector	Genetec Security Center Audit Trail Event Collector.
Genians	Use the Genian NAC integration to block IP addresses using the assign tag.
Gigamon ThreatINSIGHT	Gigamon ThreatINSIGHT is a cloud-native network detection and response solution built for the rapid detection of threat activity, investigation of suspicious behavior, proactive hunting for potential risks, and directing a fast and effective response to active threats.
Giphy	Display random GIF in the War Room (e.g. !giphy hello). Powered By Giphy.
GitGuardian Event Collector	This is the GitGuardian event collector integration for Cortex XSIAM.
GitHub	Integration to GitHub API.
Github Event Collector	Github logs event collector integration for Cortex XSIAM.
Github Feed	This is the Feed GitHub integration for getting started with your feed integration.
GitHub IAM	Integrate with GitHub services to perform Identity Lifecycle Management operations.
Github Maltrail Feed	Fetches Indicators from Github Repo https://github.com/stamparm/maltrail
GitLab (Deprecated)	Deprecated. Use GitLab v2 in GitLab Pack instead.
GitLab Event Collector
GitLab v2	Integration to GitLab API.
GLIMPS Detect	Use the GLIMPS Detect Integration to send files to GLIMPS Malware and get results from it
GLPI	GLPI open source ITSM solution.
Gmail	Gmail API and user management (This integration replaces the Gmail functionality in the GoogleApps API and G Suite integration).
Gmail Single User	Gmail API using OAuth 2.0.
Google Apigee	Apigee is Google Cloud's native API management platform that can be used to build, manage, and secure APIs — for any use case, environment, or scale. Apigee offers high performance API proxies to create a consistent, reliable interface for your backend services. The proxy layer gives you granular control over security, rate limiting, quotas, analytics, and more for all of your services. Apigee supports REST, gRPC, SOAP, and GraphQL, providing the flexibility to implement any API architectural style.
Google BigQuery	Integration for Google BigQuery, a data warehouse for querying and analyzing large databases. In all commands, for any argument not specified, the BigQuery default value for that argument will be applied.
Google Calendar	Google Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list (ACL).
Google Chat via Webhook	Integration for sending notifications to a Google Chat space via Incoming Webhook.
Google Cloud Compute	Google Compute Engine delivers virtual machines running in Google's innovative data centers and worldwide fiber network. Compute Engine's tooling and workflow support enable scaling from single instances to global, load-balanced cloud computing.
Google Cloud Functions	Google Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers.
Google Cloud Logging	With Google Cloud Logging, users can centralize all their logs in a single location, making it easier to troubleshoot issues and gain insights from their data.
Google Cloud Pub/Sub	Google Cloud Pub/Sub is a fully-managed real-time messaging service that enables you to send and receive messages between independent applications.
Google Cloud SCC	Security Command Center is a security and risk management platform for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory and discovery, identifying vulnerabilities and threats, and helping you mitigate and remediate risks across an organization. This integration helps you to perform tasks related to findings and assets.
Google Cloud Storage	Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure.
Google Cloud Translate	A Google API cloud based translation service.
Google Docs	Use the Google Docs integration to create and modify Google Docs documents.
Google Dorking	Automate the process of google dorking searches in order to detect leaked data.
Google Drive	Google Drive allows users to store files on their servers, synchronize files across devices, and share files. This integration helps you to create a new drive, query past activity, and view change logs performed by the users.
Google IP Ranges Feed	Use the Google IP Ranges integration to get GCP and Google global IP ranges.
Google Key Management Service	Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality.
Google Kubernetes Engine	The Google Kubernetes Engine integration is used for building and managing container based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.
Google Maps	Use the Google Maps API.
Google Resource Manager	Google Cloud Platform Resource Manager
Google Safe Browsing (Deprecated)	Deprecated. Use Google Safe Browsing v2 instead.
Google Safe Browsing v2	Search Safe Browsing, The Safe Browsing APIs (v4) let your client applications check URLs against Google's constantly updated lists of unsafe web resources.
Google Sheets	Google Sheets is a spreadsheet program that is part of the free web-based Google applications to create and format spreadsheets. Use this integration to create and modify spreadsheets.
Google Threat Intelligence	Analyzes suspicious hashes, URLs, domains, and IP addresses.
Google Threat Intelligence IoC Stream Feed	Use this feed integration to fetch Google Threat Intelligence IoC Stream notifications as indicators.
Google Threat Intelligence Threat Lists	Use this feed integration to fetch Google Threat Intelligence Threat Lists matches as indicators.
Google Vault	Archiving and eDiscovery for G Suite.
Google Vertex AI	Fine-tuned to conduct natural conversation. Using Google Vertex Ai (PaLM API for Chat) The current integration of Google Vertex Ai is focusing only on the Generative AI model (PaLM) using the Chat prediction. Later, this plugin will be updated to include the following: - Model Creation - Model Fine Tuning - PaLM Text
Google Vision AI	Image processing with Google Vision API
Google Workspace Admin	G Suite or Google Workspace Admin is an integration to perform an action on IT infrastructure, create users, update settings, and more administrative tasks.
GoogleApps API and G Suite	Send messages and notifications to your Mattermost Team.
Gophish	Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. For Free
Grafana	Grafana alerting service.
GraphQL	The Generic GraphQL client can interact with any GraphQL server API.
Graylog	Integration with Graylog to search for logs and events
GreatHorn	The only cloud-native security platform that stops targeted social engineering and phishing attacks on cloud email platforms like Office 365 and G Suite.
GreyNoise	GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats.
GreyNoise Community	GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This Integration is design specifically for GreyNoise Community users and only provides the subset of intel available via the GreyNoise Community API.
GreyNoise Indicator Feed	GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This Integration provides a feed of IPv4 Internet Scanners from GreyNoise.
Group-IB THF Polygon	THF Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. THF Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators).
Group-IB Threat Intelligence	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.
Group-IB Threat Intelligence Feed	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.
GRR	Use GRR Rapid Response framework
GuardiCore (Deprecated)	Deprecated. Use GuardiCore v2 instead.
GuardiCore v2	GuardiCore v2 Integration enables you to get information about incidents and endpoints (assets) via the GuardiCore API.
Gurucul-GRA	Gurucul Risk Analytics (GRA) is a Unified Security and Risk Analytics platform.
HackerOne	HackerOne integration allows users to fetch reports by using the fetch incidents capability. It also provides commands to retrieve all the reports and programs.
Hackuity	From a war-room, query your Hackuity cockpit in order to seamlessly retrieve information related to your vulnerability stock.
HarfangLab EDR	HarfangLab EDR Connector, Compatible version 2.13.7+.
HashiCorp Terraform	Hashicorp Terraform provide infrastructure automation to provision and manage resources in any cloud or data center with Terraform.
HashiCorp Vault	Manage Secrets and Protect Sensitive Data through HashiCorp Vault.
Hatching Triage	Submit a high volume of samples to run in a sandbox and view reports.
Have I Been Pwned? v2	Uses the Have I Been Pwned? service to check whether email addresses, domains, or usernames were compromised in previous breaches.
Hello World IAM	An Identity and Access Management integration template.
HelloWorld	This is the Hello World integration for getting started.
HelloWorld Event Collector	This is the Hello World event collector integration for Cortex XSIAM.
HelloWorld Feed	This is the Feed Hello World integration for getting started with your feed integration.
HostIo	Use the HostIo integration to enrich domains using the Host.io API.
Hoxhunt (Deprecated)	Deprecated. Use Hoxhunt V2 instead.
Hoxhunt v2	Use the Hoxhunt integration to send feedback to reporters of incidents, set incident sensitivity, and apply SOC classification to incidents.
HPE Aruba Central Event Collector	This is the Aruba Central event collector integration for Cortex XSIAM.
HPE Aruba ClearPass	Aruba ClearPass Policy Manager provides role and device-based network access control for employees, contractors, and guests across any multi-vendor wired, wireless, and VPN infrastructure.
Hudsonrock	Enrichment from Hudsonrock OSINT tools at https://cavalier.hudsonrock.com/api/json/v2/osint-tools/ Supports: IP, Email and Username.
Humio	Integration with Humio
HYAS Insight	Use the HYAS Insight integration to interactively lookup PassiveDNS, DynamicDNS, WHOIS, Sample Malware Records, C2 Attribution, Passive Hash, SSL Certificate, Open Source Indicators, Device Geo, Sinkhole, Malware Sample Information – either as playbook tasks or through API calls in the War Room.
HYAS Protect	Use the HYAS Protect integration to get the verdict information for FQDN, IP Address and NameServer – either as playbook tasks or through API calls in the War Room.
Hybrid Analysis (Deprecated)	Deprecated. Use CrowdStrike Falcon Sandbox v2 instead.
IBM MaaS360 Security	This is the IBM MaaS360 Security event collector integration for Cortex XSIAM.
IBM QRadar (Deprecated)	Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead.
IBM QRadar v2 (Deprecated)	Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSOAR. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields.
IBM QRadar v3	IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
IBM Security QRadar SOAR	Case management that enables visibility across your tools for continual IR improvement.
IBM Security Verify	IBM Security Verify provides a secure and scalable solution for collecting and managing security events from IBM Security Verify, offering advanced threat detection and response capabilities for protecting identities, applications, and data.
IBM X-Force Exchange v2	IBM X-Force Exchange lets you receive threat intelligence about applications, IP addresses, URls and hashes.
iboss	Manage block lists, manage allow lists, and perform domain, IP, and/or URL reputation and categorization lookups.
Icebrg	Reduces risk by accelerating threat detection, triage, and response to rapidly-evolving breaches across global networks.
iDefense (Deprecated)	Deprecated. Use the iDefense v2 integration instead.
iLert	Alert and notify users using iLert
illuminate (Deprecated)	Deprecated. Use Analyst1 integration instead.
Illumio Core	Connects to Illumio Core APIs to perform investigative and restorative actions.
IllusiveNetworks	The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more.
Image OCR	Extracts text from images.
Impartner	Impartner is the fastest-growing, most award-winning channel management solution provider on the market.
Imperva Incapsula	Uses incapsula to manage sites and IPs.
Imperva Skyfence	The Imperva Skyfence Cloud Gateway is a Cloud Access Security Broker (CASB) that provides visibility and control over sanctioned and unsanctioned cloud apps to enable their safe and productive use.
Imperva WAF	Use the Imperva WAF integration to manage IP groups and web security policies in Imperva WAF.
Indeni	Indeni is a turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes.
Indicators detection	The Cortex Core - IOCs integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.
Infinipoint	Use the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities or incidents. Investigate and respond to events in real-time.
InfoArmor VigilanteATI	VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team.
Infoblox	Infoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. It defines RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses.
Infoblox BloxOne Threat Defense	BloxOne Threat Defense is a hybrid cybersecurity solution that leverages DNS as the first line of defense to detect and block cyber threats.
Infoblox BloxOne Threat Defense Event Collector	BloxOne Threat Defense is a hybrid cybersecurity solution that leverages DNS as the first line of defense to detect and block cyber threats.
Infocyte	Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access.
Intel471 Actors Feed (Deprecated)	Deprecated. To be replaced by use case centric functionality. No available replacement.
Intel471 Malware Feed (Deprecated)	Deprecated. Use Intel471 Malware Indicator Feed instead.
Intel471 Malware Indicator Feed	"Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence (little to no false positives), and seek rich context and insight around the attacks they are seeing."
Intel471 Watcher Alerts	'Intel 471's watcher alerts provide a mechanism by which customers can be notified in a timely manner of Titan content that is most relevant to them.'
Intezer v2	Malware detection and analysis based on code reuse.
IntSights (Deprecated)	Deprecated. Use Rapid7 Threat Command instead.
Investigation & Response	The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.
IP-API	This integration will enrich IP addresses from IP-API with data about the geolocation, as well as a determination of the IP address being associated with a mobile device, hosting or proxy. Revers DNS is also returned. This service is available for free (with a throttle) - or paid.
IP2LocationIO	IP2Location.io integration to query IP geolocation data.
ipinfo (Deprecated)	Deprecated. Use IPinfo v2 instead. Use the ipinfo.io API to get data about an IP address
IPinfo v2	Use the IPinfo.io API to get data about an IP address.
IPQualityScore	Proactively Prevent Fraud
ipstack	One of the leading IP to geolocation APIs and global IP database services.
IRIS DFIR	IRIS is a collaborative platform aiming to help incident responders to share technical details during investigations. It's free and open-source.
IronDefense	The IronDefense Integration for Cortex XSOAR allows users to interact with IronDefense alerts within Cortex XSOAR. The Integration provides the ability to rate alerts, update alert statuses, add comments to alerts, to report observed bad activity, get alerts, get events, and get IronDome information.
Ironscales	IRONSCALES, a self-learning email security platform integration
Ironscales Event Collector	Use this integration to fetch email security incidents from Ironscales as XSIAM events.
IsItPhishing	Collaborative web service that provides validation on whether a URL is a phishing page or not by analyzing the content of the webpage.
Ivanti Heat	Use the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat.
Ja3er	Query the ja3er API for MD5 hashes of JA3 fingerprints.
Jamf Protect Event Collector	Use this integration to fetch audit logs events, alerts events and computer assets from Jamf Protect to Cortex XSIAM.
JAMF v2	Enterprise Mobility Management (EMM) for Apple devices (Mac, iPhone, Apple TV, iPad). Can be used to control various configurations via different policies, install and uninstall applications, lock devices, smart groups searches, and more.
JARM	Active TLS fingerprinting using JARM.
Jask (Deprecated)	Deprecated. Use Sumo Logic Cloud SIEM instead. Freeing the analyst with autonomous decisions.
Jira Event Collector	Jira logs event collector integration for Cortex XSIAM.
JizoM	This integration ensures interaction with the JizoM API.
Joe Security (Deprecated)	Deprecated. Use Joe Security v2 instead.
Joe Security v2	Access the full set of possibilities the JoeSandbox Cloud provides via the RESTful Web API v2.
JSON Feed	Fetches indicators from a JSON feed.
JSON Sample Incident Generator	A utility for testing incident fetching with mock JSON data.
JsonWhoIs	Provides data enrichment for domains and IP addresses.
JWT	JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. This Integration can be used to Generate New JWT Tokens, Encode and Decode Existing Ones.
Kafka v2 (Deprecated)	Deprecated. Use the Kafka v3 integration instead. The Open source distributed streaming platform.
Kafka v3	Kafka is an open source distributed streaming platform.
Kali Dog Security CertStream	Hunts for homograph-attacks by monitoring newly created X.509 certificates using CertStream by Kali Dog Security.
Kaspersky Security Center (Beta)	Manages endpoints and groups through the Kaspersky Security Center.
Keeper Secrets Manager	Use the Keeper Secrets Manager integration to manage secrets and protect sensitive data through Keeper Vault.
Keeper Security	Use this integration to fetch audit logs from Keeper Security Admin Console as XSIAM events.
Kenna v2	Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes.
Keyfactor	Basic Keyfactor Integration that Posts CSR and Retrieves the certificates
KnowBe4 KMSAT Event Collector	KnowBe4_KMSAT allows you to push and pull your external data to and from the KnowBe4 console.
KnowBe4KMSAT	KnowBe4 KMSAT integration allows you to pull Risk Scores, Phishing Tests, Campaigns and Enrollments.
Koodous	Check Android app samples (APK) against Koodous API
Lacework	Lacework provides end-to-end cloud security automation for AWS, Azure, and GCP with a comprehensive view of risks across cloud workloads and containers.
Lansweeper	The Lansweeper integration allows users to retrieve the asset details.
LastInfoSec	This integration allow to interact with the Gatewatcher LastInfoSec product via API.
Lastline v2	Use the Lastline v2 integration to provide threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior.
LDAP Authentication	Authenticate using OpenLDAP or Active Directory.
LGTM	An Integration with LGTM API
LINENotify	LINE API Integration is used for sending a message to LINE Group.
Linkshadow	Fetch Network Anomalies data from LinkShadow and execute the remediation Actions.
Linux	Agentlesss Linux host management over SSH
Lockpath KeyLight v2	Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
LogPoint SIEM Integration	Use this Content Pack to search logs, fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time.
LogRhythm (Deprecated)	Deprecated. Use the LogRhythmRest v2 integration instead.
LogRhythmRest	LogRhythm security intelligence.
LogRhythmRest v2	LogRhythm security intelligence.
LogsignSiem	Logsign SIEM provides to collect and store unlimited data, investigate and detect threats, and respond automatically.
Logz.io	Fetch & remediate security incidents identified by Logz.io Cloud SIEM.
LOLBAS Feed	"Living off the land binaries" is a term used to describe malware or hacking techniques that take advantage of legitimate tools and processes that are already present on a computer or network, rather than introducing new malware or malicious code. The goal is to blend in with normal activity and avoid detection. Examples of this include using built-in Windows commands to move laterally through a network, or using scripting languages that are commonly installed on a system to execute malicious code. LOLBAS project is documenting binaries, scripts, and libraries that can be used for Living Off The Land techniques.
Looker	Use the Looker integration to query an explore, save queries as looks, run looks, and fetch look results as incidents.
Lookout Mobile Endpoint Security	Lookout Mobile Endpoint Security (MES) provides visibility and protection against mobile threats with AI-driven mobile security dataset.
Luminar IOCs & leaked credentials	This connector allows integration of intelligence-based IOC data and customer-related leaked records identified by Luminar.
Lumu	SecOps operations - Reflect and manage the Lumu Incidents either from XSOAR Cortex or viceversa using the mirroring integration flow, https://lumu.io/
MAC Vendors	Query MAC Vendors for vendor names when providing a MAC address. MAC Vendors maintains a list of vendors provided directly from the IEEE Standards Association and is updated multiple times each day. The IEEE is the registration authority and provides data on over 16,500 registered vendors.
Mail Listener v2	Listens to a mailbox and enables incident triggering via e-mail.
Mail Sender (New)	Send emails implemented in Python with embedded image support.
MailListener - POP3	Listen to a mailbox, enable incident triggering via e-mail.
Majestic Million Feed	Free search and download of the top million websites.
Maltiverse	Use the Maltiverse integration to analyze suspicious hashes, URLs, domains and IP addresses.
MalwareBazaar	MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers.
MalwareBazaar Feed	Use the MalwareBazaar Feed integration to get the list of malware samples added to MalwareBazaar within the last 60 minutes.
Malwarebytes	Scan and Remediate threats on endpoints in the Malwarebytes cloud.
Malwation AIMA (Deprecated)	Deprecated. Use ThreatZone instead.
ManageEngine	ManageEngine Endpoint Central is a Unified Endpoint Management solution that helps in managing thousands of servers, desktops, laptops and mobile devices from a single console..
ManageEngine PAM360	Integration to fetch passwords from the PAM360 repository, and to manage accounts, resources, and privileged credentials.
Mandiant Advantage Feed (Deprecated)	Deprecated. Use Mandiant Advantage Threat Intelligence instead.
Mandiant Advantage Threat Intelligence	Enrich Indicators of Compromise, and fetch information about Actors, Malware Families, and Campaigns from Mandiant Advantage.
Mandiant Attack Surface Management	Integrate with Mandiant Advantage Attack Surface Management to import "issues" as Incidents.
Mandiant Automated Defense (Formerly Respond Software)	Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within XSOAR are reflected in Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled.
Mandiant Enrich	Enrich Indicators of Compromise, and fetch information about Actors, Malware Families, and Campaigns from Mandiant Advantage.
Mandiant Feed	Fetch indicators from Mandiant Advantage.
Mantis	create and update issues in MantisBT,MantisBT is a popular free web-based bug tracking system
Mattermost	Send messages and notifications to your Mattermost Team.
Mattermost v2	Mattermost is an open-source, self-hostable online chat service with file sharing, search, and integrations. It is designed as an internal chat for organizations and companies.
MaxMind GeoIP2	Enriches IP addresses.
McAfee Active Response	Connect to MAR using its DXL client
McAfee Advanced Threat Defense	Integrated advanced threat detection: Enhancing protection from network edge to endpoint.
McAfee DAM	McAfee Database Activity Monitoring
McAfee DXL	McAfee DXL client.
McAfee ePO (Deprecated)	Deprecated. Use McAfee ePO v2 instead.
McAfee ePO v2	McAfee ePolicy Orchestrator.
McAfee ESM v10 and v11 (Deprecated)	Deprecated. Use the McAfee ESM v2 integration instead.
McAfee ESM v2	This integration runs queries and receives alarms from McAfee Enterprise Security Manager (ESM). Supports version 10 and above.
McAfee NSM (Deprecated)	Deprecated. Use McAfee NSM v2 integration instead.
McAfee NSM v2	McAfee Network Security Manager gives you real-time visibility and control over all McAfee intrusion prevention systems deployed across your network.
McAfee Threat Intelligence Exchange (Deprecated)	Deprecated. Use McAfee Threat Intelligence Exchange V2 integration instead.
McAfee Threat Intelligence Exchange v2	Connect to McAfee TIE using the McAfee DXL client.
McAfee Web Gateway (Deprecated)	Deprecated. Use Skyhigh Secure Web Gateway (On Prem) instead.
MetaDefender Sandbox	Unique adaptive threat analysis technology, enabling zero-day malware detection and more Indicator of Compromise (IOCs) extraction (previously known as OPSWAT Filescan Sandbox).
Micro Focus Service Manager	Service Manager By Micro Focus (Formerly HPE Software).
MicroFocus SMAX	Fetch SMAX cases and automate differen SMAX case management actions.
Microsoft 365 Defender	Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Advanced Threat Analytics (Deprecated)	Deprecated. No available replacement.
Microsoft Defender for Cloud	Unified security management and advanced threat protection across hybrid cloud workloads.
Microsoft Defender for Cloud Apps	Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts.
Microsoft Defender for Cloud Apps Event Collector	Collects the events log for alerts and activities provided Microsoft Defender for Cloud Apps API.
Microsoft Defender for Cloud Event Collector	XSIAM collector for Microsoft Defender for Cloud alerts.
Microsoft Defender for Endpoint	Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
Microsoft Defender for Endpoint Alerts (Deprecated)	Deprecated. Use 'Office 365' in the XSIAM Data Sources instead.
Microsoft Endpoint Configuration Manager	The Microsoft Endpoint Configuration Manager provides the overall Configuration Management (CM) infrastructure and environment to the product development team (formerly known as SCCM).
Microsoft Endpoint Manager (Intune)	Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management.
Microsoft Graph API	Use the Microsoft Graph API integration to interact with Microsoft APIs that do not have dedicated integrations in Cortex XSOAR, for example, Mail Single-User, etc.
Microsoft Graph Mail Single User	Microsoft Graph grants Cortex XSOAR authorized access to a user's Microsoft Outlook mail data in a personal account or organization account.
Microsoft Graph Search	Use the Microsoft Search API in Microsoft Graph to search content stored in OneDrive or SharePoint: files, folders, lists, list items, or sites.
Microsoft Graph Security	Unified gateway to security insights - all from a unified Microsoft Graph Security API.
Microsoft Intune Feed	Use the Microsoft Intune Feed integration to get indicators from the feed.
Microsoft Management Activity API (O365 Azure Events)	The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content, and fetch new content as incidents.
Microsoft Policy And Compliance (Audit Log)	Use the integration to get logs from the O365 service.
Microsoft Sentinel	Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR).
Microsoft Teams	Send messages and notifications to your team members.
Microsoft Teams Management	Manage teams and members in Microsoft Teams.
Microsoft Teams via Webhook	Integration for sending notifications to a Microsoft Teams channel via a workflow of type `Post to a channel when a webhook request is received`.
Mimecast Event Collector
Mimecast v2	Mimecast unified email management offers cloud email services for email security, continuity and archiving emails. Please read detailed instructions in order to understand how to set the integration's parameters.
Minerva Labs Anti-Evasion Platform	Minerva eliminates the endpoint security gap while empowering companies to embrace technology fearlessly.
MinIO	An Integration with MinIO Object Storage.
MISP Feed	Indicators feed from MISP.
MISP v2 (Deprecated)	Deprecated. Use the MISP v3 integration instead.
MISP v3	Malware information sharing platform and threat sharing.
MITRE ATT&CK	Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) content. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE IDs Feed (Deprecated)	Deprecated. Use MITRE ATT&CK Feed v2 instead.
MitreCaldera	Mitre Caldera can be used to test endpoint security solutions and assess a network's security posture against the common post-compromise adversarial techniques contained in the ATT&CK model. CALDERA leverages the ATT&CK model to identify and replicate adversary behaviors as if a real intrusion is occurring.
mnemonic MDR - Argus Managed Defence	Rapidly detect, analyse and respond to security threats with mnemonic’s leading Managed Detection and Response (MDR) service.
MobileIronCLOUD	MobileIron Cloud Integration.
MobileIronCORE	MobileIron CORE Integration.
Moloch (Deprecated)	Deprecated. Use Arkime instead.
MongoDB	Use the MongoDB integration to search and query entries in your MongoDB.
MongoDB Atlas	MongoDB Atlas is an integration that supports fetching and managing alerts and events within Cortex XSIAM.
MongoDB Key Value Store	Manipulates key/value pairs according to an incident utilizing the MongoDB collection.
MongoDB Log	Writes log data to a MongoDB collection.
MS-ISAC	This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform.
MxToolBox	All of your MX record, DNS, blacklist and SMTP diagnostics in one integrated tool
National Vulnerability Database	CVE feed from the National Vulnerability Database.
National Vulnerability Database Feed v2	This feed pulls CVE information from the NIST National Vulnerability Database using v2.0 of the API. Rejected CVEs are not ingested as part of this integration. This integration/feed deprecates the original National Vulnerability Database Feed integraiton as v1.0 of the API is being sunsetted in 2023.
Ncurion	This is the Ncurion integration for getting started.
Neosec	Neosec is reinventing application security. Its pioneering SaaS platform gives security professionals visibility into behavior across their entire API estate. Built for organizations that expose APIs to partners, suppliers, and users, Neosec discovers all your APIs, analyzes their behavior, and stops threats lurking inside.
Nessus	Vulnerability scanner for auditors and security analysts by Tenable Network Security.
NetBox Event Collector	NetBox event collector integration for Cortex XSIAM.
Netcraft	Netcraft takedown, submission and screenshot management.
Netcraft (Deprecated)	Deprecated. Use Netcraft_V2 (Display name: Netcraft) instead.
Netmiko	Multi-vendor library to simplify SSH connections to network devices. Utilizes the Python library Netmiko for connections. Supports SSH Key authentication and username / password.
NetQuest OMX	NetQuest’s products are high-capacity service nodes that help security teams access and analyze network traffic. Powerful packet and flow processing features assist security tools in detecting and mitigating security threats as cost effectively as possible.
Netscout Arbor Edge Defense	Use the Netscout Arbor Edge Defense integration to detect and stop both inbound threats and outbound malicious communication from compromised internal devices.
Netscout Arbor Sightline (Peakflow)	DDoS protection and network visibility.
Netskope (API v1)	Get alerts and events, manage quarantine files as well as URL and hash lists using Netskope API v1.
Netskope (API v2)	Netskope API v2 provides a powerful interface for managing and monitoring Netskope deployments. It enables users to retrieve alerts and events, manage URL lists, and control clients. With Netskope API v2, organizations can proactively respond to security threats, enforce web access policies, and efficiently administer their Netskope environment.
Netskope (Deprecated)	Cloud access security broker that enables to find, understand, and secure cloud apps. Deprecated. Use Netskope (API v1) instead.
Netskope Event Collector	Netskope Event Collector integration.
Nexthink	Nexthink helps IT teams deliver on the promise of the modern digital workplace. Nexthink is the only solution to provide enterprises with a way to visualize, act and engage across the entire IT ecosystem to lower IT cost and improve digital employee experience.
Nist NVD	National Vulnerability Database.
nmap	Run nmap scans with the given parameters.
Nozomi Networks	The Nozomi Networks platform, available as a hardware, virtual appliance, or via the Vantage Cloud product, provides comprehensive monitoring for OT, IoT, and IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring, and advanced threat detection in a unified solution. The integration is designed to gather alerts and asset information from Nozomi, whether deployed on-premises or in the cloud via Vantage, ensuring seamless visibility and security across environments.
NTT Cyber Threat Sensor	Retrieve alerts and recommendations from NTT CTS
NucleonCyberFeed	This is the NucleonCyber Feed integration.
Nutanix Hypervisor	Nutanix Hypervisor abstracts and isolates the VMs and their programs from the underlying server hardware, enabling a more efficient use of physical resources, simpler maintenance and operations, and reduced costs.
O365 - EWS - Extension (Deprecated)	Deprecated. Use EWS Extension Online Powershell v3 instead.
O365 - Security And Compliance - Content Search (Deprecated)	This integration allows you to manage and interact with Microsoft security and compliance content search.
O365 - Security And Compliance - Content Search v2	This integration allows you to manage and interact with Microsoft security and compliance content search.
O365 Defender SafeLinks	Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations.
O365 Defender SafeLinks - Single User (Deprecated)	Deprecated. Use O365 Defender SafeLinks instead. Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.
O365 File Management (Onedrive/Sharepoint/Teams)	Use the O365 File Management (Onedrive/Sharepoint/Teams) integration to enable your app to get authorized access to files in OneDrive, SharePoint, and MS Teams across your entire organization. This integration requires admin consent.
O365 Outlook Calendar	O365 Outlook Calendar enables you to create and manage different calendars and events according to your requirements.
O365 Outlook Mail (Using Graph API)	Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
O365 Teams (Using Graph API)	Microsoft Graph lets your app get authorized access to a user's Teams app in a personal or organization account.
OctoxLabs	Octox Labs Cyber Security Asset Management platform.
Office 365 Feed	The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (allow list, block list, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules.
okta (Deprecated)	Deprecated. Use the Okta v2 integration instead.
Okta ASA	Okta Advanced Server Access integration for Cortex XSIAM allows you to fetch logs of a wide range of configuration, enrollment, authentication, and authorization events that occur within the product and on your servers.
Okta Auth0 Event Collector	Okta Auth0 logs event collector integration for Cortex XSIAM.
Okta Event Collector	Collects the events log for authentication and Audit provided by Okta admin API.
Okta IAM	Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes.
Okta v2	Integration with Okta's cloud-based identity management service.
Ollama	Integrate with open source LLMs using Ollama. With an instance of Ollama running locally you can use this integration to have a conversation in an Incident, download models, and create new models.
OnboardingIntegration	Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names.
OneLogin Event Collector	Simple customer authentication and streamlined workforce identity operations.
OpenAI (Deprecated)	Deprecated. Use `OpenAI GPT` instead.
OpenAI GPT	Designed to assist security professionals with security investigations, threat hunting, and anomaly detection, leveraging OpenAI GPT models' natural language conversational capabilities.
OpenCTI	Manages OpenCTI platform. Compatible with OpenCTI 4.X API and OpenCTI 5.X API versions.
OpenCTI Feed 3.X (Deprecated)	Deprecated. Use OpenCTI Feed 4.X instead.
OpenCTI Feed 4.X	Ingest indicators from the OpenCTI feed. Compatible with OpenCTI 5.12.17 and above.
OpenCVE	Searches for CVE information using OpenCVE.
OpenPhish v2	OpenPhish uses proprietary Artificial Intelligence algorithms to automatically identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence.
OPNSense	Manage OPNsense Firewall. For more information see OPNsense documentation. OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform.
OpsGenie (Deprecated)	Deprecated. Use the OpsGenie v3 integration instead
Opsgenie v2 (Deprecated)	Deprecated. Use the OpsGenieV3 integration instead.
OpsGenie v3	Integration with Atlassian OpsGenie. OpsGenie is a cloud-based service that enables operations teams to manage alerts generated by monitoring tools to ensure the right people are notified, and the problems are addressed in a timely manner.
OPSWAT Filescan Sandbox (Deprecated)	Deprecated. Use MetaDefender Sandbox instead.
OPSWAT-Metadefender v2	multi-scanning engine uses 30+ anti-malware engines to scan files for threats, significantly increasing malware detection.
Oracle Cloud Infrastructure Event Collector	Collects audit log events from Oracle Cloud Infrastructure resources.
Oracle Cloud Infrastructure Feed	Oracle Cloud Infrastructure Feed (OCI Feed) This feed provides information about public IP address ranges for services that are deployed in Oracle Cloud Infrastructure.
Oracle IAM	Integrate with Oracle's services to execute CRUD and Group operations for employee lifecycle processes.
Orca	Agentless, Workload-Deep, Context-Aware Security and Compliance for AWS, Azure, and GCP.
Orca Event Collector	Orca Security event collector integration for Cortex XSIAM.
ORKL Threat Intel Feed	Use the ORKL Threat Intel Feed integration to get receive threat intelligence indicators from the feed.
OSV	OSV (Open Source Vulnerability) is a vulnerability database for open source projects. For each vulnerability, it perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges.
OTRS	Service management suite that comprises ticketing, workflow automation, and notification.
Packetsled	Packetsled Network Security API commands
PagerDuty v2	Alert and notify users using PagerDuty.
Palo Alto AutoFocus (Deprecated)	Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks.
Palo Alto Networks - Prisma Cloud Compute	Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.
Palo Alto Networks - Strata Cloud Manager	Provides commands for interaction with Prisma SASE API.
Palo Alto Networks AIOps	Palo Alto Networks Best Practice Assessment (BPA) analyzes NGFW and Panorama configurations and compares them to the best practices.
Palo Alto Networks AutoFocus v2	Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks.
Palo Alto Networks Automatic SLR	Allow XSOAR to automatically generate Security Lifecycle Review's (SLR's).
Palo Alto Networks BPA (Deprecated)	Deprecated. Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.
Palo Alto Networks Cortex (Deprecated)	Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products
Palo Alto Networks Cortex XDR - Investigation and Response	Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.
Palo Alto Networks Enterprise DLP	Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.
Palo Alto Networks IoT	This is the Palo Alto Networks IoT integration (previously Zingbox).
Palo Alto Networks IoT 3rd Party (Deprecated)	Deprecated. Use the following link instead. To get the latest Palo Alto Networks IoT 3rd Party Integrations content pack, visit: https://docs.paloaltonetworks.com/iot/iot-security-integration/get-started-with-iot-security-integrations/third-party-integrations-using-a-full-featured-xsoar-server
Palo Alto Networks MineMeld (Deprecated)	Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence.
Palo Alto Networks PAN-OS	Manage Palo Alto Networks Firewall and Panorama. Use this pack to manage Prisma Access through Panorama. For more information, see the Panorama documentation.
Palo Alto Networks PAN-OS EDL Management (Deprecated)	Deprecated. Use the Generic Export Indicators Service integration instead. This integration is still supported however, for customers with over 1000 Firewalls.
Palo Alto Networks Security Advisories (Beta)	Queries the public repository of PAN-OS CVEs.
Palo Alto Networks Threat Vault (Deprecated)	Deprecated. Use Threat Vault v2 instead.
Palo Alto Networks Threat Vault v2	Use the Palo Alto Networks Threat Vault to research the latest threats (vulnerabilities/exploits, viruses, and spyware) that Palo Alto Networks next-generation firewalls can detect and prevent. Query the Advanced Threat Protection (ATP) API endpoint for Analysis reports and PCAPs.
Palo Alto Networks Threat Vault v2 Feed	Retrieve Threat Vault predefined EDL content for Malicious IP, Known IP, TOR and Bulletproof hosting.
Palo Alto Networks Traps (Deprecated)	Deprecated. Use CortexXDR instead.
Palo Alto Networks WildFire Reports	Generates a Palo Alto Networks WildFire PDF report. For internal use with the TIM Sample Analysis feature.
Palo Alto Networks WildFire v2	Perform malware dynamic analysis.
PAN-OS Policy Optimizer (Beta)	Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama.
PassiveTotal v2	Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis.
PAT HelpdeskAdvanced	Improve the effectiveness of your service provision and resources, and the quality of your IT department.
Penfield	The penfield-get-assignee command takes in necessary context data, and returns the analyst that Penfield believes the incident should be assigned to based on Penfield's models of skill and process. The test command verfies that the endpoint is reachable.
Pentera	Automate remediation actions based on Pentera, the Automated Security Validation Platform, proactively exposing high-risk vulnerabilities.
PerceptionPoint	Loads incidents from Perception Point and releases falsely quarantined emails.
Perch	Perch is a co-managed threat detection and response platform.
PerimeterX BotDefender	Gathers PerimeterX related data.
Perplexity AI	Perplexity AI is a web search engine that uses a large language model to process queries and synthesize responses based on web search results. With a conversational approach, Perplexity AI allows users to ask follow-up questions and receive answers with citations to its sources from the internet.
Phish.AI (Deprecated)	Deprecated. Vendor has declared end of life for this integration. No available replacement.
PhishER	KnowBE4 PhishER integration allows to pull events from PhishER system and do mutations.
PhishLabs IOC	Get indicators of compromise from PhishLabs.
PhishLabs IOC DRP	Retrieves Digital Risk cases Protection from PhishLabs.
PhishLabs IOC EIR	Get Email Incident Reports from PhishLabs.
PhishTank v2	PhishTank is a free community site where anyone can submit, verify, track, and share phishing data.
PhishUp	PhishUp prevents phishing attacks, protects your staff and your brand with AI.
Picus Security	Run commands on Picus and automate security validation with playbooks.
Picus Security NG	Picus - The Complete Security Control Validation NG Platform.
PiHole	Pi-hole is a network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
PingCastle	This integration will run a server that will listen for PingCastle XML reports.
PingOne	Integrates with the PingOne Management API to unlock, create, delete and update users.
Pipl	Get contact, social, and professional information about people.
Plain Text Feed	Fetches indicators from a plain text feed.
Polar Security	Polar Security, an innovator in technology that helps companies discover, continuously monitor and secure cloud and software-as-a-service (SaaS) application data – and addresses the growing shadow data problem.
PolySwarm	Real-time threat intelligence from a crowd-sourced network of security experts and antivirus companies.
Popular News	Popular News integration fetches from three sources of news - Threatpost, The Hacker News and Krebs on Security. It outputs the title, links of the news articles and other metadata as a markdown table. The integration commands can either fetch the news from one source or all sources at a time.
Postmark Spamcheck	Postmark's spam API, Spamcheck, is a RESTfull interface to the Spam filter tool SpamAssassin.
PowerShell Remoting (Beta)	PowerShell Remoting is a comprehensive built-in remoting subsystem that is a part of Microsoft's native Windows management framework (WMF) and Windows remote management (WinRM). This feature allows you to handle most remoting tasks in any configuration you might encounter by creating a remote PowerShell session to Windows hosts and executing commands in the created session. The integration includes out-of-the-box commands which supports agentless forensics for remote hosts.
Preempt (Deprecated)	Deprecated. No available replacement. Preempt Behavioral Firewall - Detection and enforcement based on user identity
Prisma Access	Integrate with Prisma Access to monitor the status of the Service, alert and take actions.
Prisma Access Egress IP feed	Dynamically retrieve and add to allow list IPs Prisma Access uses to egress traffic to the internet and SaaS apps.
Prisma Cloud (RedLock) (Deprecated)	Deprecated. Use the Prisma Cloud v2 integration instead.
Prisma Cloud DSPM	Remediate your data security risks. Integrate with Prisma Cloud DSPM to fetch your data security risks and remediate them with OOTB playbooks.
Prisma Cloud v2	Prisma Cloud secures infrastructure, workloads and applications, across the entire cloud-native technology stack.
PrismaCloud IAM	The Prisma Cloud IAM API consists of a set of API endpoints that allow customers to perform CRUD operation on their user profiles.
Proofpoint Email Security Event Collector	Collects events for Proofpoint Email Security using the streaming API.
Proofpoint Feed	Detailed feed of domains and ips classified in different categories. You need a valid authorization code from Proofpoint ET to access this feed
Proofpoint Isolation	Proofpoint Isolation is an integration that supports fetching Browser and Email Isolation logs events.
Proofpoint Protection Server (Deprecated)	Deprecated. Use Proofpoint Protection Server V2 instead.
Proofpoint Protection Server v2	Proofpoint email security appliance.
Proofpoint TAP v2	Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
Proofpoint Threat Protection	Threat Protection APIs are REST APIs that allow Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations.
Proofpoint Threat Response	Use the Proofpoint Threat Response integration to orchestrate and automate incident response.
Proofpoint Threat Response Event Collector	Use the Proofpoint Threat Response integration to orchestrate and automate incident response.
ProtectWise	Cloud based Security Network DVR
Public DNS Feed	A feed of known benign IPs of public DNS servers.
Pulsedive	Enrich and analyze any domain, URL, or IP. Pivot to search on data points and linked indicators to investigate risky properties.
Qintel PMI	Qintel’s Patch Management Intelligence (PMI) product simplifies the vulnerability management process by providing vital context around reported Common Vulnerabilities and Exposures. With this integration, users can query PMI to surface CVEs that are known by Qintel to be leveraged by eCrime and Nation State adversaries.
Qintel QSentry	QSentry queries help measure the likelihood that a user is masking their identity using publicly or privately available proxy or VPN services. The returns also flag any known fraud associations. QSentry aggregates data from Qintel’s proprietary Deep and DarkWeb research, as well as from commercially available anonymization services.
Qintel QWatch	Qintel's QWatch system contains credentials obtained from dump sites, hacker collaboratives, and command and control infrastructures of eCrime- and APT-related malware. With this integration, users can fetch exposure alerts as incidents and discover exposed credentials associated with their organization.
QR Code Reader - goqr.me	Read QR Code from image file.
QSS	QSS integration helps you to fetch Cases from Q-SCMP and add new cases automatically through XSOAR.
Qualys FIM	Log and track file changes across global IT systems.
Qualys VMDR	Qualys Vulnerability Management lets you create, run, manage reports and to fetch Activity Logs, Assets and Vulnerabilities, launch and manage vulnerability and compliance scans, and manage the host assets you want to scan for vulnerabilities and compliance.
Query.AI	Query.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication.
Quest KACE Systems Management Appliance (Beta)	Use the Comprehensive Quest KACE solution to Provision, manage, secure, and service all network-connected devices.
QutteraWebsiteMalwareScanner	Quttera Website Malware Scanner.
RaDark	This integration enables you to fetch incidents and manage your RaDark monitor from Cortex XSOAR.
Radware Cloud DDoS Protection Services	Radware Cloud Service provides customers and partners with the ability to programmatically perform service-related actions. The integration can be used to automate application and assets creation and day-to-day management to retrieve up-to-date data about Security Events and Operational Alerts.
Rapid7 - Threat Command (IntSights)	Rapid7 Insight - Threat Command allows managing alerts, CVEs, IOCs, and assets by accounts and MSSP accounts.
Rapid7 InsightIDR	Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. Together, these form Extended Detection and Response (XDR). InsightIDR identifies unauthorized access from external and internal threats and highlights suspicious activity so you don’t have to weed through thousands of data streams.
Rapid7 InsightVM	Vulnerability management solution to help reduce threat exposure.
Rapid7 InsightVM Cloud	InsightVM is a vulnerability management tool that can scan your network, eliminate vulnerabilities, and track and communicate its progress.
Rapid7AppSec	Rapid7 AppSec integration allows the management of applications vulnerabilities and scans.
Rasterize	Converts URLs, PDF files, and emails to an image file or PDF file.
RDAP	Use the RDAP integration to query domain and IP information.
Reco	Reco is a Saas data security solution that protects your data from accidental leaks and malicious attacks.
Recorded Future (Deprecated)	Deprecated. Use Recorded Future v2 from RecordedFuture pack instead. Unique threat intel technology that automatically serves up relevant insights in real time.
Recorded Future - Lists	Search and manage watchlists in Recorded Future.
Recorded Future - Playbook Alerts	Fetch & triage Recorded Future Playbook Alerts.
Recorded Future Attack Surface Intelligence	Attack Surface Intelligence Risk Rules help security teams take risk and vulnerability prioritization to the next level by helping organizations identify the biggest weaknesses within their attack surface in mere seconds.
Recorded Future Event Collector	This integration fetches alerts from Recorded Future.
Recorded Future Identity	Fetch & triage | Search & Lookup | Access Recorded Future Identity data and Playbook Alerts.
Recorded Future RiskList Feed	Ingests indicators from Recorded Future feeds into Demisto.
Recorded Future v2	Unique threat intel technology that automatically serves up relevant insights in real time.
Red Canary	Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema which allows teams to detect, analyze and respond to security incidents.
Redmine	A project management and issue tracking system that provides a web-based platform for managing projects, tracking tasks, and handling various types of project-related activities.
ReliaQuest GreyMatter DRP Event Collector	ReliaQuest GreyMatter DRP Event Collector monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web.
ReliaQuest GreyMatter DRP Incidents	ReliaQuest GreyMatter DR monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web.
ReliaquestTakedown	This is Reliaquest DRP Takedown integration. It enables xsoar user to create and manage takedowns.
Remedy On-Demand (Deprecated)	Deprecated. Use BMC Helix ITSM instead.
remedy_sr_beta (Beta)	The BMC Service Request Management application enables an IT department and other business departments to easily define available services, publish those services in a service catalog, and automate fulfillment of those services for the user community, enabling users to help themselves. This integration uses SOAP API and supports SRM 9.0 version.
Remote Access (Deprecated)	File transfer and execute commands via ssh, on remote machines.
RemoteAccess v2	This integration transfers files between Cortex XSOAR and a remote machine and executes commands on the remote machine.
Resecurity Monitoring	This package allows retrieving asset monitoring results from monitoring tasks that can be configured in Context and Risk platforms.
Retarus Secure Email Gateway	Integrate Retarus Secure Email Gateway to seamlessly fetch events from Secure Email Gateway by Retarus and enhance email security.
ReversingLabs A1000 (Deprecated)	Deprecated. Use the ReversingLabs A1000 v2 integration instead.
ReversingLabs A1000 v2	ReversingLabs A1000 advanced Malware Analysis Platform.
ReversingLabs Ransomware and Related Tools Feed	A timely and curated threat intel list containing recent indicators extracted from ransomware and the tools used to deploy ransomware which are suitable for threat hunting or deployment to security controls.
ReversingLabs TitaniumCloud (Deprecated)	Deprecated. Use the ReversingLabs TitaniumCloud v2 integration instead.
ReversingLabs TitaniumCloud v2	ReversingLabs TitaniumCloud provides threat analysis data from various ReversingLabs cloud services.
ReversingLabs TitaniumScale	ReversingLabs advanced file decomposition appliance.
RiskIQ Digital Footprint	The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets and analyze your digital footprint from the adversary's perspective.
RiskSense	RiskSense is a cloud-based platform that provides vulnerability management and prioritization to measure and control cybersecurity risk.
Roksit DNS Security (DNSSense)	This integration provides adding selected domains to the Roksit Secure DNS's Blacklisted Domain List through API .
RSA Archer (Deprecated)	Deprecated. Use the RSA Archer v2 integration instead.
RSA Archer v2	The RSA Archer GRC platform provides a common foundation for managing policies, controls, risks, assessments, and deficiencies across lines of business.
RSA NetWitness Endpoint	RSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints on and off your network. The RSA Demisto integration provides access to information about endpoints, modules and indicators.
RSA NetWitness Packets and Logs	RSA NetWitness Logs and Packets decoders are responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data.
RSA NetWitness Security Analytics	RSA Security Analytics, compatible with prior to v11. A distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. Security Analytics allows administrators to collect two types of data from the network infrastructure, packet data and log data.
RSA NetWitness v11.1 (Deprecated)	Deprecated. Use RSA NetWitness v11.5 instead
RSANetWitness v11.5	The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSOAR Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks.
RSS Feed	RSS Feed reader can ingest new items as report indicators.
RST Cloud - Threat Feed API	This is the RST Threat Feed integration for interacting with API.
RTIR	Request Tracker for Incident Response is a ticketing system which provides pre-configured queues and workflows designed for incident response teams.
Rubrik Security Cloud	The Rubrik Security Cloud integration will fetch the Rubrik Anomaly Event and is rich with commands to perform the on-demand scans, backups, recoveries and many more features to manage and protect the organizational data.
Rundeck	Rundeck is a runbook automation for incident management, business continuity, and self-service operations. |- The integration enables you to install software on a list of machines or perform a task periodically. Can be used when there is a new attack and you want to perform an update of the software to block the attack.
RunZero	RunZero is a network discovery and asset inventory platform that uncovers every network in use and identifies every device connected – without credentials. Scan your network and build your asset inventory in minutes.
RunZero Event Collector	This is the RunZero event collector integration for XSIAM.
SaaS Security	SaaS Security API is a cloud-based service that you can connect directly to your sanctioned SaaS applications using the cloud app’s API to provide data classification, sharing and permission visibility, and threat detection. This Content Pack provides insights into risks posed by data exposure and policy violations and enables you to use Cortex XSOAR to effectively manage the incidents discovered by SaaS Security API.
SaaS Security Event Collector	Palo Alto Networks SaaS Security Event Collector integration for XSIAM.
SafeBreach	For enterprises using SafeBreach and XSOAR, integrating this package streamlines operations by allowing you to operate SafeBreach through XSOAR, making SafeBreach an integral part of the enterprise workflows. This integration includes commands for managing tests, insight indicators, simulators and deployments, users, API keys, integration issues, and more.
SafeBreach (Deprecated)	Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers.
SafeBreach v2 (Deprecated)	Deprecated. No available replacement.
Safewalk Management	Safewalk server integration.
Safewalk Reports	Safewalk server integration.
SailPoint IdentityIQ	SailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices.
SailPoint IdentityNow	The SailPoint Identity Security platform can be configured either on-prem/single tenant SaaS, or multi-tenant. This package is intended to be used with the SaaS, multi-tenant solution, IdentityNow.
SailPoint IdentityNow Event Collector	This is the SailPoint IdentityNow event collector integration for Cortex XSIAM.
Salesforce	CRM Services.
Salesforce Event Collector (Deprecated)	Deprecated. Use Cortex XSIAM/XDR Salesforce integration instead.
Salesforce Fusion IAM	Integrate with Salesforce Fusion Identity Access Management service to execute CRUD (create, read, update, and delete) operations for employee lifecycle processes.
Salesforce IAM	Integrate with Salesforce's services to perform Identity Lifecycle Management operations.
Salesforce v2	CRM Services.
SAML 2.0	Authenticate your Cortex XSOAR users using SAML 2.0 authentication with your organization`s identity provider.
SAML 2.0 - ADFS as IdP	You can authenticate your Demisto users using SAML 2.0 authentication and ADFS as the identity provider.
SAML 2.0 - Okta as IdP	You can authenticate your Demisto users using SAML 2.0 authentication and Okta as the identity provider.
SAML 2.0 - PingOne as IdP	You can authenticate your XSOAR users using SAML 2.0 authentication and PingOne as the identity provider.
SAP - IAM	Integrate with SAP's services to execute CRUD operations for employee lifecycle processes.
SCADAfence CNM	fetching data from CNM.
Screenshot Machine	Uses screenshot machine to get a screenshot
SecBI	A threat, intelligence, and investigation platform, enabled by automation of detection and investigation, including remediation and prevention policy enforcements on all integrated appliances.
SecneurX Analysis	Fully automated malware dynamic analysis sandboxing.
SecneurX Threat Feeds	SecneurX provides real-time threat intelligence that protects companies against the latest cyber threats, including APTs, phishing, malware, ransomware, data exfiltration, and brand infringement. Security teams rely on our dependable and rich data to expand their threat landscape visibility, resulting in improved detection rates and response times.
Security Intelligence Services Feed	A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content and Scam Blacklist with Hourly ingestion available.
SecurityAdvisor (Deprecated)	Deprecated. No available replacement.
SecurityScorecard	Provides scorecards for domains.
SecurityTrails	This integration provides API access to the SecurityTrails platform.
Securonix	Use the Securonix integration to manage incidents, threats, lookup tables, whitelists and watchlists.
Sekoia XDR	Fetch alerts and events from SEKOIA.IO XDR.\nTo use this integration, please create an API Key with the appropriate permissions.
SEKOIAIntelligenceCenter	Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. To use this integration, please create an API Key with the right permissions.
SendGrid	SendGrid provides a cloud-based service that assists businesses with email delivery. It allows companies to track email opens, unsubscribes, bounces, and spam reports. Our SendGrid pack utilize these SendGrid use cases to help you send and manage your emails.
SentinelOne Activity and Alerts	This integration fetches activities, threats, and alerts from SentinelOne.
SentinelOne v2	Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database.
Sepio	Get Agent, Switches and Events from your Sepio Prime
Serenety	Fetch Serenety alert from XMCO.
Server Message Block (SMB) (Deprecated)	Deprecated. Use the Server Message Block (SMB) v2 integration instead.
Server Message Block (SMB) v2	Files and Directories management with an SMB server. Supports SMB2 and SMB3 protocols.
Service Desk Plus	Use this integration to manage on-premises and cloud Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.
Service Desk Plus (On-Premise) (Deprecated)	Deprecated. Use the Service Desk Plus instead.
ServiceNow (Deprecated)	Deprecated. Use the ServiceNow v2 integration instead.
ServiceNow CMDB	ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages.
ServiceNow Event Collector	Use this integration to fetch audit and syslog transactions logs from ServiceNow as Cortex XSIAM events.
ServiceNow IAM	Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow v2	Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
ShiftLeft CORE	Integrate ShiftLeft CORE code analysis platform with Cortex XSOAR.
Shodan v2	A search engine used for searching Internet-connected devices.
Signal Sciences WAF	Protect your web application using Signal Sciences.
SIGNL4 (Beta)	SIGNL4 offers critical alerting, incident response and service dispatching for operating critical infrastructure. It alerts you persistently via app push, SMS text, voice calls, and email including tracking, escalation, on-call duty scheduling and collaboration.
Signum	Signum password expiry notification.
SilentPush	The Silent Push Platform uses first-party data and a proprietary scanning engine to enrich global DNS data with risk and reputation scoring, giving security teams the ability to join the dots across the entire IPv4 and IPv6 range, and identify adversary infrastructure before an attack is launched. The content pack integrates with the Silent Push system to gain insights into domain/IP information, reputations, enrichment, and infratag-related details. It also provides functionality to live-scan URLs and take screenshots of them. Additionally, it allows fetching future attack feeds from the Silent Push system.
Silverfort	Use the Silverfort integration to get and update Silverfort risk severity.
Simple SFTP	Simple SFTP Integration to copy files from SFTP Server using paramiko.
Single Connect	Single Connect is a PAM product that enables enterprises to remove static passwords stored in applications by instead keeping passwords in a secure password vault. Single Connect provides a token-based authentication for 3rd party applications when accessing the password vault. This authentication process verifies the application identity and gives secure access to the password associated with that identity.
Sixgill DarkFeed Enrichment	Sixgill Darkfeed Enrichment – powered by the broadest automated collection from the deep and dark web – is the most comprehensive IOC enrichment solution on the market. By enriching Palo Alto Networks Cortex XSOAR IOCs with Darkfeed, customers gain unparalleled context and essential explanations in order to accelerate their incident prevention and response and stay ahead of the threat curve. Automatically enrich Cortex XSOAR IOCs (machine to machine) via Darkfeed. Block threats and enrich endpoint protection in real-time from the Cortex XSOAR dashboard, gain contextual and actionable insights with essential explanations of Cortex XSOAR IOCs.
Sixgill DarkFeed Threat Intelligence	Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the XSOAR platform.
Skyformation (Deprecated)	Deprecated. Vendor has declared end of life for this integration. No available replacement.
Skyhigh Secure Web Gateway (On Prem)	Manages the block and allow lists within Skyhigh Secure Web Gateway.
Skyhigh Security	Skyhigh Security is a cloud-based, multi-tenant service that enables Cloud Discovery and Risk Monitoring, Cloud Usage Analytics, Cloud Access and Control.
Slack Event Collector	Slack logs event collector integration for XSIAM.
Slack IAM	Integrate with Slack's services to execute CRUD operations for employee lifecycle processes.
Slack v2 (Deprecated)	Deprecated. Use SlackV3 instead.
Slack v3	Send messages and notifications to your Slack team.
SlashNext Phishing Incident Response	SlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.
SMIME Messaging	Use the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data.
Smokescreen IllusionBLACK	Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time.
SNDBOX (Deprecated)	Deprecated. No available replacement.
Snort IP Blocklist Feed	This is the Snort IP Block List feed obtained from https://snort.org/
Snowflake	Analytic data warehouse provided as Software-as-a-Service.
SOCRadar Incidents	Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR.
SOCRadar Threat Feed	Retrieve indicators provided by collections via SOCRadar Threat Intelligence Feeds.
SOCRadar ThreatFusion	Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar.
SolarWinds	The SolarWinds integration interacts with the SWIS API to allow you to fetch alerts and events. It also provides commands to retrieve lists of alerts and events.
Sophos Central	The unified console for managing Sophos products.
Sophos Firewall	On-premise firewall by Sophos enables you to manage your firewall, respond to threats, and monitor what’s happening on your network.
Spamcop	SpamCop is an email spam reporting service, integration allow checking the reputation of an IP address.
Spamhaus Feed	Use the Spamhaus feed integration to fetch indicators from the feed.
SplunkPy	Runs queries on Splunk servers.
SplunkPyPreRelease (Beta)	Runs queries on Splunk servers.
SpurContextAPI	Enrich indicators using the Spur Context API.
SpyCloud	With the SpyCloud integration data from breaches can be pulled and further processed in Playbooks. Filtering parameters can be used to filter the data set
SpyCloud Enterprise Protection Enrichment	Integrate the SpyCloud Enterprise Protection API to use enrichment commands (along with sample Enrichment Playbooks) to look up your watchlists, domains, emails, IP addresses, usernames, and passwords. Data for malware-infected devices and exposed corporate applications are available for SpyCloud Compass users.
SpyCloud Enterprise Protection Feed	Fetch SpyCloud watchlist data (breach and malware records) for daily monitoring, incident response, and mitigation.
SSL Labs	Analyze a host or a URL.
Stairwell Inception	Stairwell Inception is a security intelligence engine that automates the continuous capture, storage, and of executable files and other primary security artifacts to improve detection and response against advanced attacks that evade traditional security tools.
Stamus	[Get Declaration of Compromises from Stamus Security Platform and build Incidents. Then get related artifacts, events and Host Insight information].
Starter Base Integration - Name the integration as it will appear in the XSOAR UI	[Enter a comprehensive, yet concise, description of what the integration does, what use cases it is designed for, etc.].
Stellar Cyber	Fetches and mirrors in Cases from Stellar Cyber to XSOAR. In addition, provides a command to update Case severity/status/assignee/tags, and a command to query an Alert.
Strata Logging Service XSOAR Connector	Palo Alto Networks Strata Logging Service XSOAR Connector provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
Sumo Logic Cloud SIEM	Freeing the analyst with autonomous decisions.
SumoLogic	Cloud-based service for logs & metrics management.
Symantec Advanced Threat Protection (Deprecated)	Deprecated. No available replacement.
Symantec Blue Coat Content and Malware Analysis (Beta)	Symantec Blue Coat Content and Malware Analysis integration.
Symantec Cloud Secure Web Gateway Event Collector	Palo Alto Networks Symantec Cloud Secure Web Gateway Event Collector integration for Cortex XSIAM.
Symantec CloudSOC Event Collector	Gets Events from Symantec CloudSOC.
Symantec Data Loss Prevention (Deprecated)	Deprecated. Use the Symantec Data Loss Prevention V2 integration instead. Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information.
Symantec Data Loss Prevention v2	Symantec Data Loss Prevention version 15.7 enables you to discover, monitor and protect your sensitive corporate information.
Symantec Email Security Cloud	Symantec Email Security.cloud is a hosted service that filters email messages and helps protect organizations from malware (including targeted attacks and phishing), spam, and unwanted bulk email. The service offers encryption and data protection options to help control sensitive information sent by email and supports multiple mailbox types from various vendors.
Symantec Endpoint Detection and Response (EDR) - On Prem	Symantec EDR (On Prem) endpoints help to detect threats in your network by filter endpoints data to find Indicators of Compromise (IoCs) and take actions to remediate the threat(s). EDR on-premise capabilities allow incident responders to quickly search, identify, and contain all impacted endpoints while investigating threats using a choice of on-premises.
Symantec Endpoint Protection v2	Query the Symantec Endpoint Protection Manager using the official REST API.
Symantec Endpoint Security	Symantec Endpoint Security Event Collector for Cortex XSIAM.
Symantec Endpoint Security (ICDM)	Query the Symantec Endpoint Security Cloud Portal (ICDM).
Symantec Managed Security Services	Leverage the power of Symantec Managed Security Services for continual threat monitoring and customized guidance 24x7.
Symantec Management Center	Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
Symantec Messaging Gateway	Symantec Messaging Gateway protects against spam, malware, targeted attacks and provides advanced content filtering, data loss prevention, and email encryption.
Synapse	Synapse intelligence analysis platform.
SysAid	SysAid is a robust IT management system designed to meet all of the needs of an IT department.
Syslog (Deprecated)	Syslog events logger. Automatically convert incoming logs to incidents.
Syslog Sender	Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.
Syslog v2	A Syslog server enables automatically opening incidents from Syslog clients. This integration supports filtering logs to convert to incidents, or alternatively converting all logs.
TaegisXDR (Deprecated)	Deprecated. Use TaegisXDR v2 instead.
TaegisXDR v2	For integration with the Secureworks Taegis XDR platform.
Talos Feed	Use the Talos Feed integration to get indicators from the feed.
Tanium (Deprecated)	Deprecated. Use Tanium v2 instead.
Tanium Threat Response	Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration.
Tanium Threat Response v2	Use the Tanium Threat Response integration to manage endpoint processes, evidence, alerts, files, snapshots, and connections. This integration works with Tanium Threat Response version 3.0.159 and above.
Tanium v2	Tanium endpoint security and systems management, filters out [current results unavailable] when returning question results.
Tavily	Tavily is a web service that provides real-time web search and retrieval capabilities through an API, enabling developers to fetch and extract relevant information from the internet in structured formats like JSON.
TAXII 2 Feed	Ingests indicator feeds from TAXII 2.0 and 2.1 servers.
TAXII Feed	Ingests indicator feeds from TAXII 1.x servers.
TAXII Server	This integration provides TAXII Services for system indicators (Outbound feed).
TAXII2 Server	This integration provides TAXII2 Services for system indicators (Outbound feed).
Team Cymru	Team Cymru provides various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals.
Team Cymru Scout	Team Cymru's Scout integration with Palo Alto XSOAR helps streamline incident triage and accelerate threat response by providing domain and threat intelligence data.
TeamViewer Event Collector	TeamViewer event collector integration for Cortex XSIAM.
Telegram (Beta)	Telegram integration
Tenable Vulnerability Management (formerly Tenable.io)	A comprehensive asset-centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers, and web applications.
Tenable.sc	With Tenable.sc (formerly SecurityCenter) you get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster.
Tessian	Tessian is an email security platform that allows organizations to protect their users from inbound phishing threats, outbound data loss (both malicious and accidental) and account takeovers.
Thales CipherTrust Manager	Manage secrets and protect sensitive data through Thales CipherTrust security platform.
Thales SafeNet Trusted Access	This integration enables you to process alerts from SafeNet Trusted Access (STA) indicating security risks to end user accounts, and apply security remediation actions on SafeNet Trusted Access through security orchestration playbooks.
Thales SafeNet Trusted Access Event Collector	Retrieve access, authentication, and audit logs and store them on a Security Information and Event Management (SIEM) system, local repository, or syslog file server. You can retrieve the logs only for the tenant that is associated with the API key, or for a direct or delegated child of that tenant.
TheHive Project	Integration with The Hive Project Security Incident Response Platform.
Thinkst Canary	By presenting itself as an apparently benign and legitimate service(s), the Canary draws the attention of unwanted activity. When someone trips one of the Canary's triggers, an alert is sent to notify the responsible parties so that action can be taken before valubale systems in your network are compromised.
ThousandEyes	This Integration is used to to fetch-incidents via "Active alerts", get alert details via "Alert details", and get the "Agent list".
Threat Crowd v2 (Deprecated)	Deprecated. No available replacement.
ThreatConnect (Deprecated)	Deprecated. Use the ThreatConnect v3 integration instead.
ThreatConnect Feed	This integration fetches indicators from ThreatConnect.
ThreatConnect v2 (Deprecated)	Deprecated. Use the ThreatConnect v3 integration instead.
ThreatConnect v3	ThreatConnect's integration is a intelligence-driven security operations solution with intelligence, automation, analytics, and workflows.
ThreatExchange (Deprecated)	Deprecated. Use the ThreatExchange v2 integration instead.
ThreatExchange v2	Receive threat intelligence about applications, IP addresses, URLs, and hashes. A service by Facebook.
ThreatFox Feed	ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware. Use the ThreatFox Feed integration to fetch indicators from the feed.
ThreatMiner	Data Mining for Threat Intelligence
ThreatQ v2	A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes.
ThreatX	The ThreatX integration allows automated enforcement and intel gathering actions.
ThreatZone	ThreatZone malware analysis sandboxing.
Thycotic (Deprecated)	Deprecated. Use DelineaSS instead.
ThycoticDSV (Deprecated)	Deprecated. Use DelineaDSV instead.
Tidy	Tidy integration handle endpoints enviorment installation.
TOPdesk	TOPdesk’s Enterprise Service Management software (ESM) lets your service teams join forces and process requests from a single platform.
Tor Exit Addresses Feed	Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
Traceable	Traceable Platform Integration enables publishing Traceable Detected Security Events to be published to Cortex Xsoar for further action.
Trello	Interact with the Trello task manager
Trend Micro Apex One	Trend Micro Apex One central automation to manage agents and User-Defined Suspicious Objects.
Trend Micro Cloud App Security	Use Trend Micro Cloud App Security integration to protect against ransomware, phishing, malware, and unauthorized transmission of sensitive data for cloud applications, such as Microsoft 365, Box, Dropbox, Google G Suite and Salesforce.
Trend Micro Deep Discovery Analyzer (Beta)	Deep Discovery Analyzer is a turnkey appliance that uses virtual images of endpoint configurations to analyze and detect targeted attacks.
Trend Micro Deep Security	Cloud Security Protection.
Trend Micro Email Security Event Collector	Palo Alto Networks Trend Micro Email Security Event Collector integration for XSIAM.
Trend Micro Vision One	Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.
Trend Micro Vision One Event Collector	Palo Alto Networks Trend Micro Vision One Event Collector integration for Cortex XSIAM collects the Workbench, Observed Attack Techniques, Search Detections and Audit logs.
Trend Micro Vision One V3.	Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection.
Tripwire	Tripwire is a file integrity management (FIM), FIM monitors files and folders on systems and is triggered when they have changed.
TruSTAR (Deprecated)	Deprecated. Not supported since TrueSTAR was acquired by Splunk, No available replacement.
TruSTAR v2 (Deprecated)	Deprecated. Not supported since TrueSTAR was acquired by Splunk, No available replacement.
Trustwave Secure Email Gateway	Trustwave SEG is a secure messaging solution that protects businesses and users from email-borne threats, including phishing, blended threats, and spam. Trustwave Secure Email Gateway also delivers improved policy enforcement and data leakage prevention.
TrustwaveFusion	The Trustwave Fusion platform connects your organization’s digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services including Trustwave SpiderLabs , elite team of security specialists. Your team will benefit from deep visibility and the advanced security expertise necessary for protecting assets and eradicating threats as they arise.
Tufin	Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack.
Twilio	Send SMS notifications
Twinwave	TwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities.
Twitter (Deprecated)	Deprecated. Use Twitter v2 instead.
Twitter v2	Twitter integration provides access to searching recent Tweets (in last 7 days) and user information using the Twitter v2 API.
TwitterIOCHunter Feed	Fetch the full daily feed from www.tweettioc.com/v1/tweets/daily/full
UBIRCH	The UBIRCH solution can be seen as an external data certification provider, as a data notary service, giving data receivers the capability to verify data they have received with regard to its authenticity and integrity and correctness of sequence.
UltraMSG	This is the UltraMSG integration for getting started made by Trustnet
UnifiVideo	Connect to UnifiVideo NVR and manage CCTV cameras! This integration allows you to fetch motion recording events as incidents. The integration commands also allow downloading snapshots, recordings and controlling the camera infra-red capabilities.
Unisys Stealth	This integration is intended to aid companies in integrating with the Stealth EcoAPI service. Using the included commands, security teams can trigger dynamically isolation of users or endpoints from the rest of the Stealth network.
Unit 42 ATOMs Feed	Unit 42 feed of published IOCs, which contains known malicious indicators.
Unit 42 Feed (Deprecated)	Deprecated. Use Unit42 ATOMs Feed instead.
Unit 42 Intel Objects Feed	Use the Unit 42 Intel Objects Feed integration to fetch indicators from Unit 42 Intel Objects.
Uptycs	Fetches data from the Uptycs database.
URLhaus	URLhaus has the goal of sharing malicious URLs that are being used for malware distribution.
URLhaus Feed	Fetch url indicators for URLHaus.
urlscan.io	Use urlscan.io integration to perform scans on suspected URLs and see their reputation.
USTA	USTA is an Cyber Intelligence Platform that responds directly and effectively to today's complex cyber threats.
USTA Account Takeover Prevention	USTA Account Takeover Prevention is designed to collect compromised credentials sourced from stealer malware attacks, helping organizations identify potential account takeovers and enhance their security posture. Provided by PRODAFT.
USTA Stolen Credit Cards	This integration offers organizations the ability to track stolen credit card data across the web, providing comprehensive insight into compromised card information sourced from underground markets, dark web forums, and other malicious platforms.
USTA Threat Stream IOC Feed	This integration fetches indicators from the USTA Threat Stream feed. The indicators can be of type malicious URLs or malware hashes.
Varonis Data Security Platform	Streamline alerts and related forensic information from Varonis DSP.
Varonis SaaS	Streamline alerts and related forensic information from Varonis SaaS.
Vectra (Deprecated)	Deprecated. Use Vectra Detect instead.
Vectra AI Event Collector	Collects Vectra Detections and Audits into XSIAM Events.
Vectra Detect	This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects.
Vectra v2 (Deprecated)	Deprecated. Use Vectra Detect instead.
Vectra XDR	This integration allows to create incidents based on Vectra XDR Entities.
Veeam Backup & Replication REST API	Veeam Backup & Replication REST API allows you to query information about Veeam Backup & Replication entities and perform operations with these entities using HTTP requests and standard HTTP methods.
Veeam ONE REST API	Veeam ONE REST API allows you to query information about Veeam ONE entities and perform operations with these entities using HTTP requests and standard HTTP methods.
Venafi (Deprecated)	Deprecated. Use Venafi TLS Protect instead.
Venafi TLS Protect	Retrieves information about certificates stored in Venafi.
Versa Director	Versa Director is a virtualization and service creation platform that simplifies the design, automation, and delivery of SASE services. Versa Director provides the essential management, monitoring, and orchestration capabilities needed to deliver all of the networking and security capabilities within Versa SASE.
Vertica	Analytic database management software.
Viper	Viper is a binary analysis and management framework.
VirusTotal (API v3)	Analyzes suspicious hashes, URLs, domains, and IP addresses.
VirusTotal (Deprecated)	Deprecated. Use VirusTotalV3 integration instead.
VirusTotal - Premium (API v3)	Analyse retro hunts, read live hunt notifications and download files from VirusTotal.
VirusTotal - Private API (Deprecated)	Deprecated. Use "VirusTotal (API v3)" or "VirusTotal - Premium (API v3)" integrations instead.
VirusTotal Livehunt Feed	Use this feed integration to fetch VirusTotal Livehunt notifications as indicators.
VirusTotal Retrohunt Feed	Use this feed integration to fetch VirusTotal Retrohunt matches.
VMRay	Malware analysis sandboxing.
VMware	VMware vCenter server is a centralized management application that lets you manage virtual machines and ESXi hosts centrally.
VMware Carbon Black App Control v2	VMware Carbon Black App Control (formerly known as Carbon Black Enterprise Protection) is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. This integration only supports Carbon Black on-premise APIs.
VMware Carbon Black EDR (Deprecated)	Deprecated. Use VMware Carbon Black EDR v2 instead.
VMware Carbon Black EDR (Live Response API)	Collect information and take action on remote endpoints in real time with VMware Carbon Black EDR (Live Response API) (formerly known as Carbon Black Enterprise Live Response).
VMware Carbon Black EDR v2	VMware Carbon Black EDR (formerly known as Carbon Black Response).
VMware Carbon Black Endpoint Standard (Deprecated)	Deprecated. Use Carbon Black Endpoint Standard instead.
VMware Workspace ONE UEM (AirWatch MDM)	VMware Workspace ONE UEM integration allows users to search enrolled corporate or employee-owned devices, provides detailed information about each device such as its serial number, installed OS's, pending OS updates, network details, and much more leveraging Workspace ONE UEM's (formerly AirWatch MDM) API.
VulnDB	Lists all of the security vulnerabilities for various products (OS,Applications) etc).
WALLIX Bastion	Centralized Control and Monitoring of Privileged Access to Sensitive Assets.
Web File Repository	Simple web server with a file uploading console to store small files. This is helpful to make your environment ready for testing purpose for your playbooks or automations to download files from a web server.
WhatIsMyBrowser	Parse user agents and determine if they are malicious as well as enrich information about the agent.
Whois	Provides data enrichment for domains.
Windows Remote Management (Beta)	Uses the Python pywinrm library and commands to execute either a process or using Powershell scripts.
WithSecure Event Collector	WithSecure event collector integration for Cortex XSIAM.
Wiz	Agentless cloud security.
WizDefend	Agentless cloud security platform for detecting and addressing cloud issues, detections, and threats.
Wolken ITSM	Use The Wolken IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
WootCloud	Append HyperContext™ insights to your SIEM data and feed them into your orchestration workflows.
Wordpress	The WordPress REST API provides an interface for applications to interact with your WordPress site by sending and receiving data as JSON (JavaScript Object Notation) objects. It is the foundation of the WordPress Block Editor, and can likewise enable your theme, plugin or custom application to present new, powerful interfaces for managing and publishing your site content.
Workday	Workday offers enterprise-level software solutions for financial management, human resources, and planning.
Workday Event Collector	Use Workday Event Collector integration to get activity loggings from Workday.
Workday IAM	Use the Workday IAM Integration as part of the IAM premium pack.
Workday IAM Event Generator (Beta)	Generates mock reports and events for Workday IAM. Use these for testing and development.
Workday Sign On Event Collector	Use the Workday Sign On Event Collector integration to get sign on logs from Workday.
Workday Signon Event Generator (Beta)	Generates mock sign on events for Workday Signon Event Collector. Use these for testing and development.
xDome	Use the xDome integration to manage assets and alerts.
XM Cyber	The XM Cyber integration creates unique incidents with valuable data collected daily, and enriches your existing incidents with attack simulation context. This enables you to prioritize your responses based on XM Cyber’s insights.
xMatters	This is an integration for using xMatters.
Xpanse Feed	Use this feed to retrieve the discovered IPs/domains/certificates from the Cortex Xpanse asset database.
XQL Query Engine	XQL Query Engine enables you to run XQL queries on your data sources.
XSOAR EDL Checker	Checks an XSOAR hosted EDL to make sure it's returning a valid response. Supports PAN-OS (text), CSV, or JSON EDLs.
XSOAR Engineer Training	The XSOAR Engineer Training (XET) integration provides sample data to fetch events into Cortex XSOAR, and commands to build playbooks around. Use for training purposes only.
XSOAR File Management	This integration uses the XSOAR API to perform basic but essentials actions on files.
XSOAR Mirroring	Facilitates mirroring of Cortex XSOAR incidents between different Cortex XSOAR tenants.
XSOAR Storage	Facilitates the storage and retrieval of key/value pairs within XSOAR.
XSOAR-Web-Server	This is a simple web-server that as of now, supports handling configurable user responses (like Yes/No/Maybe) and data collection tasks that can be used to fetch key value pairs. What makes it different from Data collection tasks is that, the URL to perform a certain action is predictable and written to the incident context when an action is setup.This URL can be inserted to for eg: an HTML email. User clicks are are recorded in the integration context and can be polled by Scheduled Commands/ Generic Polling.
Xsoar_Utils	This is a wrapper on top of XSOAR API. Can be used to implement commands that call the XSOAR API in the background. This is mostly to avoid constructing raw json strings while calling the demisto rest api integration. The first implemented command can be used to create an entry on any investigation; playground by default. An example use-case could be debugging a pre-process script. (Call demisto.execute_command("xsoar-create-entry",{arguments}) The idea is to use the same code to test from a local machine. python3 Xsoar_Utils.py xsoar-create-entry '{"data":"# testapi4","inv_id":"122c7bff-feae-4177-867e-37e2096cd7d9"}' Read the code to understand more.
Zabbix	Allow integration with Zabbix api.
Zafran API	The Zafran API provides a programmatic way to interact with the Zafran Exposure Management Platform for various use cases.
Zendesk v2	IT service management.
Zero Day Live TI FUSION Feed	Zero Day Live is Blackwired's flagship product that delivers proprietary cyber threat intelligence, enabling our clients to operate at the same speed as the adversary. Zero Day Live specializes in unknown, zero day and early warning threats. Our intelligence is delivered finished, actionable and seamlessly orchestrated, directly into the existing security infrastructure - measurably reducing the risk of breach.
Zero Networks Segment	Integrates with Zero Networks Segment API to fetch and process audit and network events.
ZeroFox	Cloud-based SaaS to detect risks found on social media and digital channels.
ZeroFox Key Incidents	Cloud-based SaaS to detect risks found on social media and digital channels.
Zerohack XDR	The companion integration for Zerohack XDR. Current versions allow the user to collect data from the XDR and later versions will support data exfiltration to XDR.
ZeroTrustAnalyticsPlatform	Zero Trust Analytics Platform (ZTAP) is the underlying investigation platform and user interface for Critical Start's MDR service.
Zimperium	Fetch and investigate mobile security alerts, generated based on anomalous or unauthorized activities detected on a user's mobile device.
Zimperium v2	Fetch and investigate mobile security alerts, generated based on anomalous or unauthorized activities detected on a user's mobile device. Compatible with Zimperium 5.X API version.
Zoom	Use the Zoom integration to manage your Zoom users and meetings.
Zoom Event Collector	This is the Zoom event collector integration for Cortex XSIAM.
Zoom Feed	Use the Zoom Feed integration to get indicators from the feed.
Zoom Mail	Enables interaction with the Zoom Mail API.
Zoom_IAM	An Identity and Access Management integration template.
Zscaler Internet Access	Zscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address allow lists and block lists, manage and update categories, get Sandbox reports, create, manage, and update IP destination groups and manually log in, log out, and activate changes in a Zscaler session.

Playbooks

Name	Description
3CXDesktopApp Supply Chain Attack	### 3CXDesktopApp Supply Chain Attack #### Executive Summary On March 29, 2023, CrowdStrike released a blog discussing a supply chain attack involving a software-based phone application called 3CXDesktopApp. As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine. Between March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process attempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to blocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its capabilities or any post-exploitation activities carried out by the threat actor. #### Affected Products According to 3CX’s announcement, the supply chain attack involved 3CX’s Electron Windows App shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416. #### Playbook Flow This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the 3CXDesktopApp Supply Chain Attack playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Hunting: - Cortex XDR - XQL hunting queries - Advanced SIEM queries - Splunk - QRadar - Elasticsearch - Azure Log Analytics - Indicators hunting References: Threat Brief: 3CXDesktopApp Supply Chain Attack CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
A mail forwarding rule was configured in Google Workspace	This playbook addresses the following alerts: - A mail forwarding rule was configured in Google Workspace. - A mail forwarding rule was configured in Google Workspace to an uncommon domain. Playbook Stages: Triage: - The playbook retrieves the caller's IP, the forwarding email address, and associated filters. Early Containment: - The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel. Investigation: - The playbook verifies if the rule was created outside of working hours or from an unusual geolocation and extracts suspicious keywords from the forwarding rules. It then aggregates all evidence collected during the investigation. Containment: - If only one suspicious evidence is found, the playbook executes soft response actions, including signing the user out and deleting the forwarding email address from the user account mailbox. The user will be notified of these actions via email. - If multiple suspicious evidences are found, the playbook executes both soft and hard response actions, recommending the analyst suspend the user account. Requirements: For any response action, you need one of the following integrations: - Gmail integration to fetch filters and remove the forwarding email address. - Google Workspace Admin access to sign out and suspend the user account.
A Successful login from TOR	This playbook is designed to handle the following alert: - A successful login from TOR The playbook executes the following stages: Triage: - The playbook will fetch the user identity details. Remediation & Eradication: - The playbooks will suggest several actions for the analyst to take: disabling the user account using Active Directory or Azure Active Directory, expiring the user password using Active Directory, or blocking traffic from TOR exit nodes using PAN-OS and Palo Alto Networks' predefined EDL. The analyst can select multiple actions, which will then be executed by the playbook based on the analyst's choices. Requirements: For any response action, you will need one of the following integrations: Azure Active Directory Users / Active Directory Users.
A successful SSO sign-in from TOR	This playbook is designed to handle the following alerts: - A successful SSO sign-in from TOR - A successful SSO sign-in from TOR via a mobile device The playbook executes the following stages: Early Containment: - The playbooks will perform early containment actions by clearing\revoking user sessions and enforcing re-authentication to terminate the connection from the Tor exit node and verify the user's identity. Depending on the alert source, the playbook will use either Azure Active Directory Users or Okta v2 integrations to clear the user sessions. Investigation: During the alert investigation, the playbook will perform the following: - Checks the user's risk score. - Search for suspicious user agent usage within the alert. - Search for related XDR alerts using the following MITRE techniques to identify any malicious activity: T1566 - Phishing T1621 - Multi-Factor Authentication Request Generation T1110 - Brute Force T1556 - Modify Authentication Process Remediation: - Remediation actions will be taken if the user’s risk score is high, a suspicious user agent is detected, or a related alert is found. In such cases, the playbook will disable the account. By default, account disabling requires analyst approval. Requires: For any response action, you will need one of the following integrations: Azure Active Directory Users / Okta v2.
A user deleted multiple users for the first time	This playbook addresses the following alerts: - A user deleted multiple users for the first time Playbook Stages: Triage: - Collect initial alert data regarding the event. - Check the user type of the source user. - Host enrichment. Investigation: - Check if an admin user initiated the operation and whether the deleted users are disabled. - Correlate recent user activity with related security alerts. - Assess user's and host's risk level in Cortex XDR. - Check the type of the user target. Remediation: - Evaluate investigation findings, if TP, the playbook will display the findings to an analyst for review and suggest user/host account disablement. Requirements: For response actions, you need the following integrations: - Cortex Core - Investigation and Response - Active Directory Query v2.
A user executed multiple LDAP enumeration queries	This playbook addresses the following alerts: - A user executed suspicious LDAP enumeration queries Playbook Stages: Triage: - Get additional event information about the LDAP searches executed by the user - Ensure that a single client IP exists in the alert - Get endpoint information for the client IP - Check preconditions for continuing investigation based on the number of suspicious attributes, attack tool queries, and vulnerable certificate templates Investigation: - Enrich the user that executed the queries - Check if the user was created recently - Search for additional discovery alerts in the incident - Check user groups and roles to determine if the user is unprivileged - Check user querying frequency to detect anomalies - Get host risk level - Search for recent malware alerts on client IP Remediation: - With analyst approval, disable the user in Active Directory if user-related anomalies are found and the alert is a True Positive. - With analyst approval, isolate the endpoint if host-related anomalies are found and the alert is a True Positive. - Logoff user from client host if an active session is detected and the alert is a True Positive. Requirements: For any response action, you need the following integrations: - Core - IR - Active Directory Query v2.
Abuse Inbox Management Detect & Respond	When combined with ‘SlashNext Abuse Management Protection’, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP, found in the original email, it searches and remediates other emails containing the same IOCs.
Abuse Inbox Management Protection	Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict (malicious or benign) and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date
Access Investigation - Generic	This playbook investigates an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.
Access Investigation - Generic - NIST	This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Block IP - Generic v3 - NIST - Lessons Learned
Access Investigation - QRadar	Deprecated. No available replacement. This playbook uses the QRadar integration to investigate an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.
Accessdata: Dump memory for malicious process	Deprecated. No available replacement.
Account Enrichment	Deprecated. Use the "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich the accounts under the Account context key with details from relevant integrations such as AD.
Account Enrichment - Generic	Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich Accounts using one or more integrations
Account Enrichment - Generic v2	Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich accounts using one or more integrations. Supported integrations - - Active Directory
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: - Active Directory - Microsoft Graph User - SailPoint IdentityNow - SailPoint IdentityIQ - PingOne - Okta - AWS IAM - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
Acquire And Analyze Host Forensics	This playbook enables gathering forensic data from a host and analyzing the acquired data by using the relevant forensics automations.
ACTI Block High Severity Indicators	Deprecated. No available replacement.
ACTI Block Indicators from an Incident	Deprecated. No available replacement.
ACTI Create Report-Indicator Associations	Deprecated. No available replacement.
ACTI Incident Enrichment	This playbook enriches Intelligence Alerts, Intelligence Reports, Malware Families, Threat Actors, Threat Groups & Threat Campaigns
ACTI Indicator Enrichment	Deprecated. No available replacement.
ACTI Report Enrichment	Deprecated. No available replacement.
ACTI Vulnerability Enrichment	Deprecated. No available replacement.
Active Directory - Get User Manager Details	Takes an email address or a username of a user account in Active Directory, and returns the email address of the user's manager.
Active Directory Investigation	Active Directory Investigation playbook provides tools and guidance to investigate changes and manipulation in Active Directory containers, ACLs, Schema, and objects. This playbook uses a 3rd party tool provided by Microsoft to scan the Active Directory access list, trees, and objects. Additional investigative information is provided for manual investigation.
Add Employees to Departing Employee Watchlist	Loops through stand-down tickets provided by the Departing Employee Auto-Add playbook and adds employees to the Departing Employee watchlist in Code42 Incydr.
Add Employees to New Hire Watchlist	Loops through stand-up tickets provided by the New Hire Auto-Add playbook and adds employees to the New Hire watchlist in Code42 Incydr.
Add Indicator to Miner - Palo Alto MineMeld	Deprecated. Add indicators to the relevant Miner using MineMeld.
Add IOCs - Cofense Vision	Add or update IOCs in Cofense Vision.
Add Note - Vectra Detect	This playbook will add a note in Vectra for an entity based on its type.
Add Note - Vectra XDR	This playbook will add a note in Vectra for an entity based on its type.
Add Unknown Indicators To Inventory - RiskIQ Digital Footprint	Adds the unknown indicators or updates/removes the indicators identified as a known asset in the RiskIQ Digital Footprint inventory according to the user inputs for each asset. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example reputation:None etc. The purpose of the playbook is to check if the indicators with the unknown reputation are known assets. The default playbook query is "reputation:None". In case indicators with different reputations are to be added to the inventory, the query must be edited accordingly. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint
Agari Message Remediation - Agari Phishing Defense	Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari.
Akamai WAF - Activate Network Lists	Activates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested enviorment.
Alibaba ActionTrail - multiple unauthorized action attempts detected by a user	This playbook investigates an “Alibaba ActionTrail - multiple unauthorized action attempts detected by a user” alert by gathering user and IP information and performing remediation based on the information gathered and received from the user. Used Sub-playbooks: Enrichment for Verdict Block IP - Generic v3 To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation Alert Name = Alibaba ActionTrail - multiple unauthorized action attempts detected by a user
Allow IP - Okta Zone	Sync a list of IP addresses to the Okta Network Zone with the given ID. Existing IPs in the Okta Zone which are not in the input list will be removed and the indicator will be untagged in Cortex XSOAR. IDs can be retrieved using !okta-list-zones. This playbook supports CIDR notation only (1.1.1.1/32) and not range notation (1.1.1.1-1.1.1.1)
Analyze File - Sandbox - ThreatZone	Analyzes one file using the ThreatZone sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. Dynamic Scan Extensions: exe, docx, dochtml, docm, doc, rtf, ps1, bat, cmd, xlw, xltx, xltm, xls, xlsx, odc, csv, xlshtml.
Analyze File - Static Scan - ThreatZone	Analyzes one file using the ThreatZone static scan integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Analyze URL - ReversingLabs TitaniumCloud	Get threat intelligence data for the submitted URL. Required TitaniumCloud API rights: TCA-0403 TCA-0402
Anomali Enterprise Forensic Search	Initiates a Forensic Search on IOCs in Anomali Match.
AppleScript Process Executed With Rare Command Line	This playbook handles "AppleScript Process Executed With Rare Command Line" alerts. Playbook Stages: Investigation: During the alert investigation, the playbook will perform the following: - Searches for XSIAM prevention alerts with the same causality process ID. - Checks if the causality|actor image has bad reputation or is not signed. - Checks if malicious|suspicious patterns found in the command line. - Searches for XSIAM insights alerts indicating a suspicious activity. Remediation: - Automatically terminate the causality process. - Quarantine the causality|actor image (requires analyst approval). - Automatically Close the alert.
appNovi-MAC-Address-Lookup	Lookup servers and IPs by MAC address
Arcanna-Generic-Investigation	Playbook takes incident data and sends it to Arcanna.Ai for ML inference and automated decision. Once decision is retrieved, manual input ( in this case ) from analyst is added in as feedback and sent back to Arcanna.ai. Once Feedback is provided in the final steps of the playbook, an automated AI Training is triggered and finally the full record, that contains all Arcanna.ai added metadata, is retrieved back into the context
Arcanna-Generic-Investigation-V2-With-Feedback	Deprecated. Use ArcannaGenericInvestigation instead.
Archer initiate incident	Deprecated. Use the `archer-get-file` command directly instead. initiate Archer incident
Arcsight - Get events related to the Case	Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID. Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them.
Armis Alert Enrichment	Enrich Armis alerts with the devices in the context details.
Armorblox Needs Review	This playbook sends email alerts to admins for Armorblox incidents that need review.
Assess Wiz Issues	Example basic Playbook to assess Wiz Issues
Assess WizDefend Detections	Playbook to assess Wiz Detections from the WizDefend integration
Assign Active Incidents to Next Shift	This playbook reassigns Active Incidents to the current users on call, requires shift management to be setup. Can be run as a job a few minutes after the scheduled shift change time. Update the playbook input with a different search query if required. Will also branch if there are no Incidents that match the query, and no users on call. Search results are the default 100 Incidents returned by the query.
Assign Active Incidents to Next Shift V2	This playbook reassigns Active Incidents to the current users on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time. You can update the playbook input with a different search query, if required. Will branch if there are no incidents that match the query and no users on call. Cases will not be assigned to users that defined OOO (by OutOfOffice automation).
Ataya - Securely logging device access to network	With this playbook, we can enable Identity-Aware Security Across Multiaccess Networks.
ATD - Detonate File	Detonates a File using the McAfee Advanced Threat Defense sandbox. Advanced Threat Defense supports the following File Types: 32-bit Portable Executables (PE)files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi Microsoft Office Suite documents doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar Just Systems Ichitaro documents jtd, jtdc Adobe pdf, swf Compressed files gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar Android application package apk, Java, JAR, CLASS, Java Script, Java bin files Image files jpeg, png, gif Other file types cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh
Authentication method added to an Azure account	This playbook addresses the following alert: - Suspicious authentication method addition to Azure account Playbook Stages: Triage: - Gather initial information about the user. Investigation: - Check IP Reputation: - Analyze the reputation of the IP address related to the alert. - Check for Azure Alerts: - Extract recent Azure security alerts for the user. - Check if User is Risky: - Assess the risk score of the user based on Core and Azure risk indicators. - Investigate reasons behind any identified risks, including recent detections. Containment: - The playbook checks If hard remediation is needed, if yes, it will check if the integration "Microsoft Graph User" is enabled, the playbook will revoke the sessions of the user and provide a manual task for an analyst to review the findings and decide the next steps. - Possible actions: - Disable the user. - Take no action. If the integration is not enabled, the playbook will recommend performing the same action but manually. - The playbook will check if soft remediation is needed, If yes, continue to revoke user's active sessions to ensure immediate containment. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - `Cortex Core - Investigation and Response` for Core user risk evaluation. - `Azure Risky Users` for retrieving user risk scores. - `Microsoft 365 Defender` for advanced hunting queries and Azure security alerts. - `Microsoft Graph User` is used to disable user and revoke session.
Auto Add Assets - RiskIQ Digital Footprint	This playbook automatically adds the provided asset(s) to the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to add multiple assets. Supported integration: - RiskIQ Digital Footprint
Auto Update Or Remove Assets - RiskIQ Digital Footprint	This playbook automatically updates or removes the provided asset(s) from the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to update or remove multiple assets. Supported integration: - RiskIQ Digital Footprint
Autofocus - File Indicators Hunting	The playbook queries the PANW Autofocus session and samples log data for file indicators such as MD5, SHA256, and SHA1 hashes. A simple search mode is used to query Autofocus based on the file indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Autofocus - Hunting And Threat Detection	The playbook queries the PANW Autofocus session and samples log data for file and traffic indicators, such as SHA256, SHA1, MD5, IP addresses, URLs, and domains. A simple search mode queries Autofocus based on the indicators specified in the playbook inputs. Advanced queries can also use with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Autofocus - Traffic Indicators Hunting	The playbook queries the PANW Autofocus session and samples log data for traffic indicators such as URLs, IP addresses, and domains. A simple search mode queries Autofocus based on the traffic indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Autofocus Query Samples, Sessions and Tags	This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input. The playbook supports searching both the Samples API and the sessions API.
AutoFocusPolling	Use this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: 1. Initiate the operation. 2. Poll to check if the operation completed. 3. (optional) Get the results of the operation.
AWS - Enrichment	Given the IP address this playbook enriches EC2 and IAM information.
AWS - Package Upgrade	This playbook upgrades supported packages on an AWS EC2 instance using AWS Systems manager.
AWS - Security Group Remediation	Replace current security groups with limited access security groups.
AWS - Security Group Remediation v2	This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
AWS - Unclaimed S3 Bucket Remediation	The playbook will create the unclaimed S3 bucket.
AWS - Unclaimed S3 Bucket Validation	The playbook sends a HTTP get response to the hostname and validates if there is missing bucket information.
AWS - User Investigation	This playbook performs an investigation on a specific user in AWS environments, using queries and logs from AWS CloudTrail to locate the following activities performed by the user: - Failed login attempt - Suspicious activities - API access denied - Administrative user activities - Security rules and policies changes - Access keys and access token activities - Script-based user agent usage - User role changes activities - MFA device changes activities
AWS IAM - User enrichment	Enrich AWS IAM user information from AWS Identity and Access Management. - List user access keys - Get user information
AWS IAM User Access Investigation	Deprecated. Use `Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.
AWS IAM User Access Investigation - Remediation	Deprecated. Use `Cloud IAM User Access Investigation` instead. Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.
Azure - Enrichment	Given an IP address, this playbook enriches Azure Compute, Microsoft Graph User, and IAM information and outputs Azure Compute, Microsoft Graph User, and IAM information.
Azure - Network Security Group Remediation	This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from private IP addresses and blocks the rest of the RDP traffic. Conditions and limitations: - Limited to one resource group. - 200 Azure rules viewed at once to find offending rule. - 2 priorities lower than the offending rule priority must be available. - Adds rules to NSGs associated to NICs.
Azure - User Investigation	This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: - Script-based user agent usage - Administrative user activities - Security rules and policies changes - Failed login attempt - MFA failed login attempt - Login attempt from an uncommon country - Anomalies activities - Risky users - Uncommon high volume of actions - Action uncommonly performed by the user
Azure AD account unlock or password reset	This playbook addresses the following alert: - Azure AD account unlock/successful password reset Playbook Stages: Triage: - Gather initial information about the user. Investigation: - Check IP Reputation: - Analyze the reputation of the IP address related to the alert. - Check for Azure Alerts: - Extract recent Azure security alerts for the user. - Check if User is Risky: - Assess the risk score of the user based on Core and Azure risk indicators. - Investigate reasons behind any identified risks, including recent detections. Containment: - Check if feature sum is greater than 2 (Possible features:new user agent/new asn/new country). If yes, continue to revoke user's active sessions to ensure immediate containment. If no, continue to check investigation findings. - Provide a manual task for an analyst to review the findings and decide the next steps. - Possible actions: - Disable the target user. - Disable the resource user. - Disable both users. - Take no action. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - `Cortex Core - Investigation and Response` for Core user risk evaluation. - `Azure Risky Users` for retrieving user risk scores. - `Microsoft 365 Defender` for advanced hunting queries and Azure security alerts. - `Microsoft Graph User` for disabling accounts and revoking sessions.
Azure Log Analytics - Query From Saved Search	Executes a query from a saved search in Azure Log Analytics.
Azure-DevOps-Pipeline-Run	Deprecated. Use azure-devops-pipeline-run command instead.
BeyondTrust Retrieve Credentials	Playbook for retrieving credentials for BeyondTrust Password Safe
Block Account - Generic	Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher.
Block Account - Generic v2	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher. SailPoint PingOne AWS IAM Clarizen IAM Envoy IAM ExceedLMS IAM Okta Microsoft Graph User (Azure Active Directory Users) Google Workspace Admin Slack IAM ServiceNow IAM Prisma Cloud IAM Zoom IAM Atlassian IAM * GitHub IAM.
Block Domain - Cisco Stealthwatch	This playbook blocks domains using Cisco Stealthwatch Cloud.
Block Domain - External Dynamic List	This playbook blocks domains using External Dynamic Link. The playbook adds a tag to the inputs domain indicators. the tagged domains can be publish as External Dynamic list that can be added to blocklist using products like Panorama by Palo Alto Networks. For Panorama - You can block the tagged domains by creating EDL(in Panorama) with the XSOAR EDL Url, and assign it to Anti-Spyware profile under "DNS Signature Policies"
Block Domain - FireEye Email Security	This playbook blocks domains using FireEye Email Security. The playbook checks whether the FireEye Email Security integration is enabled, whether the Domain input has been provided and if so, blocks the domain.
Block Domain - Generic	Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One * Proofpoint Threat Response
Block Domain - Generic v2	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response Cisco Stealthwatch Cloud
Block Domain - Proofpoint Threat Response	This playbook blocks domains using Proofpoint Threat Response. The playbook checks whether the Proofpoint Threat Response integration is enabled, whether the Domain input has been provided and if so, blocks the domain.
Block Domain - Symantec Messaging Gateway	This playbook blocks domains using Symantec Messaging Gateway. The playbook checks whether the Symantec Messaging Gateway integration is enabled, whether the Domain input has been provided and if so, blocks the domain.
Block Domain - Trend Micro Apex One	This playbook blocks domains using Trend Micro Apex One. The playbook checks whether the Trend Micro Apex One integration is enabled, whether the Domain input has been provided and if so, blocks the domain.
Block Domain - Zscaler	This playbook blocks domains using Zscaler. The playbook checks whether the Zscaler integration is enabled, whether the Domain input has been provided and if so, blocks the domain.
Block Email - Generic	Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration.
Block Email - Generic v2	This playbook will block emails at your mail relay integration. Supported integrations for this playbook: Mimecast FireEye Email Security (EX) Cisco Email Security Symantec Email Security
Block Endpoint - Carbon Black Response	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolate an endpoint, given a hostname.
Block Endpoint - Carbon Black Response V2	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolates an endpoint for a given hostname.
Block Endpoint - Carbon Black Response V2.1	Carbon Black Response - isolates an endpoint for a given hostname.
Block File - Carbon Black Response	This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the hash is already on the block list, no action is taken on the MD5. The playbook uses the integration ''VMware Carbon Black EDR v2".
Block File - Cybereason	This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
Block File - Cylance Protect v2	This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration.
Block File - Generic	Deprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response.
Block File - Generic v2	This playbook is used to block files from running on endpoints. This playbook supports the following integrations: - Palo Alto Networks Traps - Palo Alto Networks Cortex XDR - Cybereason - Carbon Black Enterprise Response - Cylance Protect v2 - Crowdstrike Falcon - Microsoft Defender for Endpoint.
Block Indicators - Generic	Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead. This playbook blocks malicious indicators using all integrations that are enabled. Supported integrations for this playbook: Active Directory Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks Panorama Zscaler Carbon Black Enterprise Response
Block Indicators - Generic v2	Deprecated. Use the `Block Indicators - Generic V3` playbook instead. This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic - Block Account - Generic - Block IP - Generic v2 - Block File - Generic v2 - Block Email - Generic - Block Domain - Generic
Block Indicators - Generic v3	This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic v2 - Block Account - Generic v2 - Block IP - Generic v3 - Block File - Generic v2 - Block Email - Generic v2 - Block Domain - Generic v2.
Block IOCs from CSV - External Dynamic List	Deprecated. Use Generic Export Indicators Service instead.
Block IP - Generic	Deprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks Panorama Zscaler
Block IP - Generic v2	Deprecated. Use the `Block IP - Generic v3` playbook instead. This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler * FortiGate
Block IP - Generic v3	This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing) Note the following: - some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. - Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall Palo Alto Networks PAN-OS Zscaler FortiGate Aria Packet Intelligence Cisco Firepower Cisco Secure Cloud Analytics Cisco ASA Akamai WAF F5 SilverLine ThreatX Signal Sciences WAF * Sophos Firewall.
Block URL - Generic	Deprecated. Use 'Block URL - Generic v2' instead.
Block URL - Generic v2	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks PAN-OS Zscaler Sophos Forcepoint Checkpoint Netcraft.
Bonusly - AutoGratitude	AutoGratitude is a playbook to give back a positive gratitude to security engineers and developers when they successfully complete an SLA
BreachRx - Create Incident and get Active Tasks	This Playbook creates a privacy Incident on the BreachRx platform, and pulls in all tasks from that created privacy Incident into the Cortex XSOAR Incident.
Brute Force Investigation - Generic	This playbook investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation. The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. * Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Calculate Severity - Critical Assets v2 - Isolate Endpoint - Generic v2 - Block Indicators - Generic v3
Brute Force Investigation - Generic - SANS	This playbook investigates a "Brute Force" incident by gathering user and IP information, and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation. This is done based on the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time. * Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login. Used Sub-playbooks: - IP Enrichment - Generic v2 - Account Enrichment - Generic v2.1 - Calculate Severity - Critical Assets v2 - Isolate Endpoint - Generic v2 - Block Indicators - Generic v3 - SANS - Lessons Learned ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration	This playbook gets all available devices from PANW IoT Cloud and updates/creates endpoints with custom attributes in ServiceNow.
Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration	This playbook gets all available device inventory from PANW IoT Cloud and updates/create endpoints with custom attributes on Cisco ISE.
Bulk Export to SIEM - PANW IoT 3rd Party Integration	This playbook gets all available assets ( alerts, vulnerabilities and devices) and send then to configured PANW third-party integration SIEM server.
C2SEC-Domain Scan	Launches a C2sec scan by domain name and waits for the scan to finish by polling its status in pre-defined intervals.
Calculate Severity - 3rd-party integrations	Calculates the incident severity level according to the methodology of a 3rd-party integration.
Calculate Severity - Cortex XDR Risky Assets	Calculates a severity for the incident based on the involvement of risky users or risky hosts in the incident, as determined by the Cortex XDR ITDR module.
Calculate Severity - Critical assets	Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group.
Calculate Severity - Critical Assets v2	Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups.
Calculate Severity - Generic	Deprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations: Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore. Critical assets - Determines if a critical assest is associated with the invesigation. * 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration. NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.
Calculate Severity - Generic v2	Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers - Risky users (XDR) - Risky hosts (XDR).
Calculate Severity - GreyNoise	Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators - Current incident severity
Calculate Severity - Indicators DBotScore	Calculates the incident severity level according to the highest indicator DBotScore.
Calculate Severity - Standard	Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook.
Calculate Severity By Email Authenticity	Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script.
Calculate Severity By Highest DBotScore	Calculates the incident severity level according to the highest DBotScore.
Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise	Playbook to calculate the severity based on GreyNoise
Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise	Playbook to calculate the severity based on GreyNoise
Caldera Operation	This playbook is used to create a new Operation in Mitre Caldera.
California - Breach Notification	This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Source: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82.
Carbon Black EDR Search Process	Deprecated. Use 'cb-eedr-process-search' command instead. This playbook implements polling by continuously running the `cb-eedr-process-search-results` command until the operation completes.
Carbon black Protection Rapid IOC Hunting	Hunt for endpoint activity involving hash and domain IOCs, using Carbon black Protection (Bit9).
Carbon Black Rapid IOC Hunting	Deprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black
Carbon Black Response - Unisolate Endpoint	This playbook unisolates sensors according to the sensor ID that is provided in the playbook input.
Case Management - Generic	This playbook executes when no other playbook is associated with an incident. It enriches indicators in an incident using one or more integrations.
Case Management - Generic - Send On Call Notification	This playbook can be used to send email notification if an Incidents severity is Critical or High. Can be used as a sub-playbook to perform the same logic across different playbooks/use cases.
Case Management - Generic - Set SLAs based on Severity	Sets the SLAs for Incidents, the Time to Assignment Timer, and the Remediation SLA Timer based on the Incident Severity.
Case Management - Generic - Start SLA Timers	This playbook will start the Time to Assignment or Remediation SLA timers based on whether an Owner is assigned to the Incident. Can be used as a sub-playbook to perform the same logic across different playbooks/use cases.
Case Management - Generic v2	This playbook will extract and enrich indicators upon trigger, calculate Severity, and set SLAs and Timers. Can be used as a default playbook to ingest new Incidents, or for manually created Incidents.
Change Management	If you are using PAN-OS/Panorama firewall and Jira or ServiceNow as a ticketing system this playbook is a perfect match for your change management for Firewall process. This playbook can be triggered by 2 different options - a fetch from ServiceNow or Jira - and will help you manage and automate your change management process.
Check For Content Installation	This playbook checks for content updates.
Check Incydr Status and Close XSOAR Incident	Loops through open XSOAR incidents and closes incidents created from Incydr alerts that are now dismissed.
Check Indicators For Unknown Assets - RiskIQ Digital Footprint	This playbook receives indicators from its parent playbook and checks if the indicator is an unknown or a known asset in the RiskIQ Digital Footprint inventory and gives out a list of the unknown as well as known assets. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint
Check IP Address For Whitelisting - RiskIQ Digital Footprint	Checks if the provided IP Address should be added to allow list and excluded or not. Use this playbook as a sub-playbook to loop over multiple IP Addresses to check if they should be added to allow list and excluded.
Checkpoint - Block IP - Append Group	The playbook receives malicious IP addresses as inputs, checks if the object group exists (if not, the object group is created), and appends the related IPs to that object. If you have not assigned the appended group to a rule in your firewall policy, you can use `rule_name` and the playbook creates a new rule.
Checkpoint - Block IP - Custom Block Rule	This playbook blocks IP addresses using Custom Block Rules in Check Point Firewall. The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and publishes the configuration.
Checkpoint - Block URL	This playbook blocks URLs using Check Point Firewall through Custom URL Categories. The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it creates the category, blocks the URLs, and publishes the configuration.
Checkpoint - Publish&Install configuration	Publish the Check Point Firewall configuration and install policy on all available gateways.
Checkpoint Firewall Configuration Backup Playbook	Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP.
CheckPointHEC Get email for incident	Get email entity for a specific incident.
ChronicleAsset Investigation - Chronicle	This playbook receives indicators from its parent playbook, performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and gives out a list of isolated and blocked entities. This playbook also lists the events fetched for the asset identifier information associated with the indicator.
ChronicleAssets Investigation And Remediation - Chronicle	Performs enrichment and investigation of the ChronicleAsset type of indicators, provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address is found to be malicious or suspicious, and sends out an email containing the list of isolated and potentially blocked entities. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example, type:ChronicleAsset etc. The default playbook query is "type:ChronicleAsset". In case indicators with different query parameters are to be investigated, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integration’s API license when running large amounts of indicators.
CimTrak - Example - Analyze Intrusion	Example to analyze intrusion
CimTrak - Example - Scan Compliance By IP	Example on how to run a compliance scan for an agent based on IP address
Cisco FirePower- Append network group object	This playbook will append a network group object with new elements (IPs or network objects).
Claroty Incident
Claroty Manage Asset CVEs
Cloaked Ursa Diplomatic Phishing Campaign	## Cloaked Ursa: Targeting Diplomatic Missions with Phishing Lures Summary: Cloaked Ursa, a hacking group associated with Russia's Foreign Intelligence Service, has been persistently targeting diplomatic missions globally. Using phishing tactics, Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following: - Notes verbale (semiformal government-to-government diplomatic communications) - Embassies’ operating status updates - Schedules for diplomats - Invitations to embassy events Recently, Unit42 researchers observed a shift in their strategy, with a focus on targeting diplomats themselves. In Kyiv alone, at least 22 out of over 80 foreign missions were targeted. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the Cloaked Ursa (APT29) Diplomatic Phishing Campaign playbook and Rapid Breach Response incident type. The playbook includes the following tasks: IoCs Collection - Blog IoCs download Hunting: - Cortex XDR XQL exploitation patterns hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting The hunting queries are searching for the following activities: - Related LNK files execution command line - Dropped file names Mitigations: - Unit42 mitigation measures References: Diplomats Beware: Cloaked Ursa Phishing With a Twist
Close All Duplicate XSOAR Incidents - Vectra Detect	This playbook will clean up all incidents in XSOAR by closing duplicate incidents from Vectra Detect.
Close Duplicate XSOAR Incidents - Vectra Detect	This playbook is called from the Close All Duplicate XSOAR Incidents - Vectra Detect playbook. It will close the duplicate incidents in XSOAR and resolve its assignment in Vectra.
Close Related XSOAR and Incydr Incidents	Checks for open XSOAR incidents associated with Incydr alerts and passes them to the Check Incydr Status and Close XSOAR Incident playbook.
Cloud Compute Enrichment - Generic	This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources.
Cloud Credentials Rotation - AWS	## AWS Credentials Rotation Playbook ### Identity Remediation Secure compromised accounts by taking swift action: - Reset Password: Resets the user password to halt any unauthorized access. - Access Key Deactivation: Deactivate any suspicious or known-compromised access keys. - Combo Action: In some cases, you may want to reset both the password and deactivate the access key for absolute security. ### Role Remediation If a role is suspected to be compromised: - Deny Policy Implementation: Attach a deny-all policy to the compromised role, thus preventing it from performing any further actions. - Role Cloning: Before outright remediation, clone the role. This ensures that you have a backup with the same permissions, making transition smoother.
Cloud Credentials Rotation - Azure	## Azure Credentials Rotation Playbook ### IAM Remediation Protect your identity and access management: - Reset Password: Resets the user password to halt any unauthorized access. - Revoke Session: Terminates current active sessions to ensure the malicious actor is locked out. - Combo Action: Resets the password and terminates all active sessions. ### Service Principal Remediation Guard your applications: - Password Regeneration: Generate a new password for the service principal, making sure the old one becomes obsolete.
Cloud Credentials Rotation - GCP	## GCP Credentials Rotation Playbook ### IAM Remediation For compromised service accounts: - Access Key Disabling: Immediately disable the compromised service account access key. - New Key Generation: After ensuring the old key is disabled, generate a new access key. ### GSuite Admin Remediation Admin accounts are crucial: - Reset Password: Resets the user password to halt any unauthorized access. - Revoke Access Token: Revoke any suspicious or unauthorized access tokens. - Combo Action: Reset the password and revoke access tokens to ensure complete safety.
Cloud Credentials Rotation - Generic	## Cloud Credentials Rotation - Generic This comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. ## Integrations for Each Sub-Playbook In order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: ### AWS Sub-Playbook: 1. AWS - IAM: Used to manage AWS Identity and Access Management. 2. AWS - EC2: Essential for managing Amazon Elastic Compute Cloud (EC2) instances. ### GCP Sub-Playbook: 1. Google Workspace Admin: Manages users, groups, and other entities within Google Workspace. 2. GCP-IAM: Ensures management and control of GCP's Identity and Access Management. ### Azure Sub-Playbook: 1. Microsoft Graph Users: Manages users and related entities in Microsoft Graph. 2. Microsoft Graph Applications: Manages applications within Microsoft Graph.
Cloud Data Exfiltration Response	## Cloud Data Exfiltration Response The Cloud Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: - Enrichment involved assets. - Determines the appropriate verdict based on the data collected from the enrichment. - Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques - Verdict Handling: - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions
Cloud Enrichment - Generic	## Generic Cloud Enrichment Playbook The Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. ### Supported Blocks 1. Cloud IAM Enrichment - Generic - Enriches information related to Identity and Access Management (IAM) in the cloud. 2. Cloud Compute Enrichment - Generic - Enriches information related to cloud compute resources. The playbook supports a single CSP enrichment at a time.
Cloud IAM Enrichment - Generic	This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).
Cloud IAM User Access Investigation	Investigate and respond to Cortex XSIAM alerts where a Cloud IAM user access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node
Cloud IDS-IP Blacklist-GCP Firewall_Append	Set a list of IP addresses in GCP firewall.
Cloud IDS-IP Blacklist-GCP Firewall_Combine	Set a list of IP addresses in GCP firewall.
Cloud IDS-IP Blacklist-GCP Firewall_Extract	Get Source IP
Cloud Response - AWS	This playbook provides response actions to AWS. The following are available for execution automatically/manually: - Resource remediation: - Terminate the instance - Stop the instance - Identity remediation: - Delete the user - Revoke the user's credentials - Access key remediation: - Disable the access key - Delete the access key - Block indicators.
Cloud Response - Azure	This playbook provides response actions to Azure. The following are available for execution automatically/manually: - Resource remediation - Delete the instance - Power off the instance - Identity remediation: - Disable the user - Delete the user - Block indicators.
Cloud Response - GCP	This playbook provides response actions to GCP. The following are available for execution automatically/manually: - Resource remediation: - Delete the instance - Stop the instance - Identity remediation: - Disable the user - Delete the user - Access key remediation: - Disable the access key - Delete the access key - Block indicators.
Cloud Response - Generic	This playbook provides response playbooks for: - AWS - Azure - GCP The response actions available are: - Terminate/Shut down/Power off an instance - Delete/Disable a user - Delete/Revoke/Disable credentials - Block indicators
Cloud Threat Hunting - Persistence	--- ## Cloud Threat Hunting - Persistence Playbook The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure - one at a time. ### Hunting Queries The playbook executes hunting queries for each provider related to each of the following: 1. IAM 2. Compute Resources 3. Compute Functions ### Indicator Extraction If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script. ---
Cloud Token Theft - Set Verdict	--- ## Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. ### Event Search The playbook searches for events based on the attacker's IP address within the last two hours. ### Tests Performed The following tests are performed on the observed activity: 1. Malicious IP Check: Determines if the IP address is malicious. 2. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). 3. IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. 4. Region Check: Determines if the API call was made from outside the recognized region. 5. Anomalous State Check: Checks if the API call was made from an anomalous state. 6. Alert Check: Looks for any related alerts around the event, including: - Possible cloud instance metadata service (IMDS) abuse. - Impossible Traveler by cloud identity. ---
Cloud Token Theft Response	--- ## Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: - Enriches the involved resources - Enriches the involved identities - Enriches the involved IPs Verdict Decision Tree: - Determines the appropriate verdict based on the investigation findings Early Containment using the Cloud Response - Generic Playbook: - Implements early containment measures to prevent further impact Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques Enriching and Responding to Hunting Findings: - Performs additional enrichment and responds to the findings from threat hunting Verdict Handling: - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions ---
Cloud User Investigation - Generic	This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
CloudConvert - Convert File	Use this playbook to convert a file to the required format using CloudConvert.
Cluster Report Categorization - Cofense Triage v3	Cluster Report Categorization playbook is used to retrieve the reports of specific clusters and perform the categorization of reports.
Code42 Add Departing Employee From Ticketing System v2	Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command `jira-get-issue` to be `zendesk-ticket-details` and use the `id` parameter for `issueId`. Change the output (what gets parsed) to be either the Subject or the Description from Zendesk.
Code42 Copy File To Ticketing System v2	Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command `jira-issue-upload-file` to be `servicenow-upload-file` and use the `id` parameter for `issueId` and `file_id` for `entryId`.
Code42 Exfiltration Playbook	The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints.
Code42 File Download	This playbook downloads a file via Code42 by either MD5 or SHA256 hash.
Code42 File Search	This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use.
Code42 File Search v2	This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.FileEvents context for use.
Code42 Security Alert	Retrieves Incydr alert details, assigns the alert to an analyst, and gathers employee and supervisor data from Active Directory, if applicable. Note: this playbook can be used as an alternate default to "Code42 Exfiltration Playbook" when the Code42 Incydr integration is set to "Fetch Incidents".
Code42 Suspicious Activity Action v2	Take corrective actions against a Code42 user found to be exposing file data.
Code42 Suspicious Activity Review v2	Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: - Search for the Security Notice email sent from Codecov. - Collect indicators to be used in your threat hunting process. - Query network logs to detect related activity. - Search for the use of Codecov bash uploader in GitHub repositories - Query Panorama to search for logs with related anti-spyware signatures - Data Exfiltration Traffic Detection - Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
Command-Line Analysis	This playbook takes a command line from the alert and performs the following actions: - Checks for base64 string and decodes if exists - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: 1. Indicators found in the command line 2. Found AMSI techniques 3. Found suspicious parameters 4. Usage of malicious tools 5. Indication of network activity 6. Indication of suspicious LOLBIN execution 7. Suspicious path and arguments in the command line Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".
Commvault Suspicious File Activity Remediation	Playbook to disable data-aging on commvault client when a threat is detected.
Compare Process Execution Arguments To LOLBAS Patterns	This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'.
Compromise Accounts - User rejected numerous SSO MFA attempts	This playbook addresses the following alerts: - User rejected numerous SSO MFA attempts - Multiple SSO MFA attempts were rejected by a user with suspicious characteristics Playbook Stages: Triage: - The playbook checks the IP address reputation associated with the MFA attempts and gathers related login events. Early Containment: - If the IP address is identified as malicious, the playbook blocks the IP. The investigation continues in parallel to this phase. Investigation: - The playbook performs an in-depth analysis, including: - Assessing the user's risk score to identify potentially compromised accounts. - Checking for an unusually high number of invalid credential attempts, which may indicate brute-force or credential-stuffing activity. - Verifying whether Okta logs indicate a malicious source IP based on Okta's threat intelligence. - Reviewing whether there have been an excessive number of MFA rejections from the user, suggesting potentially compromised behavior. - Looking for abnormal user agent patterns that may indicate suspicious or compromised access methods. - Investigating previous failed Okta login attempts within a specified timeframe to identify patterns. Containment: - If suspicious activity is confirmed, the playbook initiates the following containment actions: - Clears the user's active sessions and expires their password to prevent further unauthorized access. - If a successful login attempt was also detected, the playbook prompts a manual task for an analyst to review and decide on further action. Requirements: For any response actions, the following integration is required: - Okta v2 For early containment actions, the following integration is required: - Palo Alto Networks PAN-OS.
Compromised Credentials Match - Flashpoint	The Compromised Credentials Match playbook uses the details of the compromised credentials ingested from Flashpoint Ignite and authenticates using the Active Directory integration by providing the compromised credentials of the user. It then expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: - Flashpoint - OpenLDAP - Active Directory Query v2
Configuration Setup	Playbook for the configuration incident type.
Containment Plan	This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks: Containment Plan - Isolate endpoint Containment Plan - Disable account Containment Plan - Quarantine file Containment Plan - Block indicators * Containment Plan - Clear user session (currently, the playbook supports only Okta) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
Containment Plan - Block Indicators	## Containment Plan - Block Indicators This playbook is a sub-playbook within the containment plan playbook. ### Indicator Blocking The playbook block indicators by two methods: 1. It adds the malicious hashes into the XSIAM hash block list 2. It utilizes the sub-playbook "Block Indicators - Generic v3"
Containment Plan - Clear User Sessions	## Containment Plan - Clear User Sessions This playbook is a sub-playbook within the containment plan playbook. The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions.
Containment Plan - Disable Account	## Containment Plan - Disable Account This playbook is a sub-playbook within the containment plan playbook. The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2"
Containment Plan - Isolate Device	## Containment Plan - Isolate Device This playbook is a sub-playbook within the containment plan playbook. The playbook isolates devices using core commands.
Containment Plan - Quarantine File	## Containment Plan - Quarantine File This playbook is a sub-playbook within the containment plan playbook. The playbook quarantines files using core commands.
Content Update Check	Deprecated. Use "Content Update Manager" playbook instead. This playbook will check to see if there are any content updates available for installed packs and notify users via e-mail or Slack.
Content Update Manager	This playbook checks for any available content updates for selected installed content packs and notifies users via e-mail or Slack. It also contains an auto-update flow that lets users decide via playbook inputs or communication tasks if they want to trigger an auto-update process to install all updates that were found. This playbook can be used as a Cortex XSOAR job to help users track marketplace pack updates and install them regularly.
Context Polling - Generic	This playbook polls a context key to check if a specific value exists.
Continuously Process Survey Responses	Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Continuously processes new questionnaire responses as they are received.
Convert file hash to corresponding hashes	The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations.
Cortex ASM - Active Directory Enrichment	Playbook to enriches Service ownership info in Azure and On-Prem Active Directory.
Cortex ASM - ASM Alert	This playbook handles ASM alerts by enriching asset information and providing a means of remediating the issue directly or through contacting service owners.
Cortex ASM - AWS Enrichment	Given the IP address this playbook enriches AWS information relevant to ASM alerts.
Cortex ASM - Azure Enrichment	Given the IP address, this playbook enriches Azure information relevant to ASM alerts.
Cortex ASM - Certificate Enrichment	Playbook to enrich certificate information.
Cortex ASM - CMDB Enrichment	Deprecated. No available replacement. This playbook will look up a CI in ServiceNow CMDB by IP.
Cortex ASM - Cortex Endpoint Enrichment	This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes.
Cortex ASM - Cortex Endpoint Remediation	This playbook is used to isolate a single Cortex Endpoint (XSIAM/XDR) for remediation purposes.
Cortex ASM - Decision	Deprecated. No available replacement. This playbook returns "RemediationAction" options based on meeting "Automated Remediation Requirements" (https://github.com/demisto/content/tree/master/Packs/CortexAttackSurfaceManagement#automated-remediation-requirements) as well as whether ServiceNowV2 integration is set up. Possible return values are: - Prompt base - data collection task with only email/manual options. - Prompt all options - data collection task with all options (meets Automated Remediation requirements and ServiceNow is enabled). - Prompt no snow - all options except ServiceNow (Automated Remediation requirements are met). - Prompt no ar - all options except Automated Remediation (ServiceNow is enabled).
Cortex ASM - Detect Service	Playbook that looks to see if a service ID exists and chooses to start a Remediation Confirmation Scan.
Cortex ASM - Domain Enrichment	Playbook to enrich domain information.
Cortex ASM - Email Notification	This playbook is used to send email notifications to service owners to notify them of their internet exposures.
Cortex ASM - Enrichment	Used as a container folder for all enrichments of ASM alerts.
Cortex ASM - Extract IP Indicator	Deprecated. No available replacement. Identifies IPv4 Address associated with Alert and creates a new Indicator.
Cortex ASM - GCP Enrichment	Given the IP address this playbook enriches GCP and Firewall information.
Cortex ASM - Instant Message	This playbook is used to create instant messages toward service owners to notify them of their internet exposures.
Cortex ASM - Jira Notification	This playbook is used to create Jira tickets directed toward service owners to notify them of their internet exposures.
Cortex ASM - On Prem Enrichment	Given an IP address, port, and protocol of a service, this playbook enriches on-prem integrations to find the related firewall rule and other related information. Conditions: - Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). - !pan-os-security-policy-match fails if any firewall is disconnected (Panorama). - Matching on different rules for different firewalls not supported (Panorama).
Cortex ASM - On Prem Remediation	This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures. Conditions: - Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). - Multiple rules with the same name in different device-groups not supported (Panorama). - !pan-os-list-services will fail if there are no services in a specific device-group (Panorama).
Cortex ASM - Prisma Cloud Enrichment	Given the IP address this playbook enriches information from Prisma Cloud.
Cortex ASM - Qualys Enrichment	Given the IP address this playbook enriches information from Qualys assets.
Cortex ASM - Rapid7 Enrichment	Given the IP address this playbook enriches Rapid7 InsightVM (Nexpose) information relevant to ASM alerts.
Cortex ASM - Remediation	This playbook contains all the cloud provider sub playbooks for remediation.
Cortex ASM - Remediation Confirmation Scan	Playbook for Remediation Confirmation Scan (RCS) creation and polling.
Cortex ASM - Remediation Guidance	This playbook pulls remediation guidance off of a list based on ASM RuleID to be used in service owner notifications (email or ticketing system).
Cortex ASM - Remediation Objectives	Playbook that populates the remediation objectives field that is used to display the remediation actions to the end user.
Cortex ASM - Remediation Path Rules	This playbook returns "RemediationAction" options based on the return from the Remediation Path Rules API, or defaults to data collection task.
Cortex ASM - Service Ownership	Identifies and recommends the most likely owners of the service, additionally citing an explanation and ranking score for each.
Cortex ASM - ServiceNow CMDB Enrichment	Given the IP address this playbook enriches ServiceNow CMDB information relevant to ASM alerts.
Cortex ASM - ServiceNow ITSM Enrichment	Given search terms, this playbook will query ServiceNow ticket descriptions and short descriptions over the last 30 days and set users that were found in the assigned_to field in those ServiceNow tickets. Note, the max amount of tickets returned from querying is 100.
Cortex ASM - ServiceNow Notification	This playbook is used to create ServiceNow tickets directed toward service owners to notify them of their internet exposures.
Cortex ASM - SNMP Check	Deprecated. No available replacement.
Cortex ASM - Splunk Enrichment	Given the IP address this playbook enriches information from Splunk results relevant to ASM alerts.
Cortex ASM - Tenable.io Enrichment	Given the IP address this playbook enriches Tenable.io information relevant to ASM alerts.
Cortex ASM - Vulnerability Management Enrichment	Deprecated. No available replacement. This playbook will look up an IP address in Tenable.io or Rapid7 InsightVM.
Cortex VM - ServiceNow CMDB	Given provided indicators (IPs, Hostnames, FQDNs, etc.) this playbook enriches ServiceNow CMDB information relevant to vulnerability issues.
Cortex VM - Vulnerability Issue	This playbook handles vulnerability issues by enriching assets to find potential remediation owners.
Cortex XDR - AWS IAM user access investigation	Deprecated. Use `Cortex XDR - Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve.
Cortex XDR - Block File	Use this playbook to add files to Cortex XDR block list with a given file SHA256 playbook input.
Cortex XDR - Check Action Status	Checks the action status of an action ID. \nEnter the action ID of the action whose status you want to know.
Cortex XDR - check file existence	Deprecated. Use `xdr-file-exist-script-execute` command instead. Initiates a new endpoint script execution to check if the file exists and retrieve the results.
Cortex XDR - Cloud Data Exfiltration Response	## Data Exfiltration Response The Data Exfiltration Response playbook is designed to address data exfiltration activity alerts in the cloud environment. This playbook is intended for handling "An identity performed a suspicious download of multiple cloud storage object" alert. The playbook supports AWS, GCP, and Azure and executes the following: - Enrichment involved assets. - Determines the appropriate verdict based on the data collected from the enrichment phase. - Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques - Verdict Handling: - Handles false positives identified during the investigation - Handles true positives by initiating appropriate response actions
Cortex XDR - Cloud Enrichment	This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout. The playbook collects or enriches the following data: - Resource enrichment - Previous activity seen in the specified region or project - Account enrichment - Network enrichment - Attacker IP - Geolocation - ASN
Cortex XDR - Cloud IAM User Access Investigation	Investigate and respond to Cortex XDR Cloud alerts where a Cloud IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS, Azure, and GCP environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node
Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer	This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the Cortex XDR - CVE-2025-31324 - SAP NetWeaver Visual Composer playbook and Rapid Breach Response incident type. CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability. ## CVE-2025-31324 - SAP NetWeaver RCE Vulnerability ## Vulnerability Overview - Component Affected: SAP NetWeaver Visual Composer Metadata Uploader - Endpoint: `/developmentserver/metadatauploader` - CVE ID: CVE-2025-31324 - CVSS Score: 10.0 (Critical) - Exploitability: Unauthenticated remote attackers can exploit this without user interaction This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process. Source: Unit42 - Palo Alto Networks ## Mitigation and Recommendations - Apply Patch: SAP Note #3594142 (released April 24, 2025) - Disable Visual Composer if not in use - Restrict Access to the vulnerable endpoint - Monitor for IoCs in `/irj/servlet_jsp/irj/root/` and suspicious traffic ## Conclusion CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components. View official CVE details on NIST ## Playbook Triggers - Manually - "CVE Exploitation - 986328356" Agent rule ## Playbook Flow - Collects IoCs from Unit42 blog. - Downloads Sigma rules. - Search for CVE Exploitation alerts. - Directory enumeration to identify if there are already any suspicious files that might indicate a webshell. - Using XQL, identify potential SAP NetWeaver instances in your environment. - Using XQL, check if there are events that point to any potential webshells downloaded in the directories. - Hunt the IoCs using Panorama and 3rd party SIEM. - Remediate using "Block Indicators - Generic v3" playbook. - Provides Mitigation recommendations. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Cortex XDR - delete file	Deprecated. Use the `xdr-file-delete-script-execute` command instead. Initiates a new endpoint script execution to delete the specified file and retrieve the results.
Cortex XDR - Display Risky Assets	This playbooks displays risky users and risky hosts, as detected by Cortex XDR's ITDR module. The data is displayed in incident fields in Cortex XDR incidents.
Cortex XDR - Endpoint Investigation	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Cortex XDR - Execute commands	Deprecated. Use the `xdr-script-commands-execute` command instead. Initiates a new script execution of shell commands.
Cortex XDR - Execute snippet code script	Deprecated. Use the `xdr-snippet-code-script-execute` command instead. Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results.
Cortex XDR - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles false-positive incident closures for Cortex XDR - Malware investigation.
Cortex XDR - First SSO Access	Deprecated. Use `Cortex XDR - Identity Analytics` instead. Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization. The playbook executes the following: - IP and User Enrichment. - User Investigation - Using 'User Investigation - Generic' sub-playbook. - Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook. - Response based on the verdict. The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.
Cortex XDR - First SSO Access - Set Verdict	Deprecated. Use `Cortex XDR - Identity Analytics` instead. This playbook determines the alert’s verdict based on the results of multiple checks. By default, if at least two of the checks' results are true, the verdict is set to malicious. else if only one check's results are true, the verdict is set to suspicious. If none of the conditions is true, the verdict is set to non-malicious. It is possible to change the threshold value of the inputs to change the sensitivity of the verdict.
Cortex XDR - Get entity alerts by MITRE tactics	This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.
Cortex XDR - Get entity alerts by MITRE tactics CTF	This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.
Cortex XDR - Get File Path from alerts by hash	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook assists in retrieving file paths from the Cortex XDR incident by hash.
Cortex XDR - Identity Analytics	The `Cortex XDR - Identity Analytics` playbook is designed to handle Cortex XDR Identity Analytics alerts and executes the following: Analysis: - Enriches the IP address and the account, providing additional context and information about these indicators. Verdict: - Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: - Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: - Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP addresses and revoking or clearing user's sessions. - Handles non-malicious alerts identified during the investigation. The playbook is used as a sub-playbook in ‘Cortex XDR Alerts Handling v2’.
Cortex XDR - Isolate Endpoint	This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
Cortex XDR - kill process	Deprecated. Use the `xdr-kill-process-script-execute` command instead. Initiates a new endpoint script execution kill process and retrieves the results.
Cortex XDR - Large Upload	The playbook investigates Cortex XDR incidents involving large upload alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling v2’. The playbook consists of the following procedures: - Searches for similar previous incidents that were closed as false positives. - Enrichment and investigation of the initiator and destination hostname and IP address. - Enrichment and investigation of the initiator user, process, file, or command if it exists. - Detection of related indicators and analysis of the relationship between the detected indicators. - Utilize the detected indicators to conduct threat hunting. - Blocks detected malicious indicators. - Endpoint isolation. This playbook supports the following Cortex XDR alert names: - Large Upload (Generic) - Large Upload (SMTP) - Large Upload (FTP) - Large Upload (HTTPS)
Cortex XDR - Malicious Pod Response - Agent	This playbook ensures a swift and effective response to malicious activities within Kubernetes environments, leveraging cloud-native tools to maintain cluster security and integrity. The playbook is designed to handle agent-generated alerts due to malicious activities within Kubernetes (K8S) pods, such as mining activities, which require immediate action. The playbook also addresses scenarios where the malicious pod is killed, but the malicious K8S workload repeatedly creates new pods. ### Key Features: AWS Function Integration: This utilizes an AWS Lambda function that can manage resources and facilitate rapid response actions within an Amazon EKS cluster without the need for third-party tools such as Kubectl. The Lambda function can initiate the following response actions: - Pod Termination: The playbook includes steps to safely terminate the affected pod within the K8S environment. - Workload Suspension: If necessary, the playbook can be escalated to suspend the entire workload associated with the mining activity. Once the Lambda function execution is completed, the playbook deletes all of the created objects to ensure undesirable usage. ### Workflow: 1. Alert Detection: The playbook begins with the monitoring agent detecting a mining alert within a Kubernetes pod. 2. Alert Validation: Validates the alert to ensure it is not a false positive. 3. Response Decision: - Pod Termination: If the mining activity is isolated to a single pod, the AWS Lambda function is invoked to terminate the affected pod within the K8S environment. - Workload Suspension: If the mining activity is widespread or poses a significant threat, the AWS Lambda function suspends the entire workload within the K8S environment. 4. Cleanup: This action initiates the complete removal of all objects created for the Lambda execution for security and hardening purposes. ### Required Integration #### AWS IAM (Identity and Access Management) - AWS IAM API Documentation - Cortex XSOAR AWS IAM Integration #### AWS EC2 (Elastic Compute Cloud) - AWS EC2 API Documentation - Cortex XSOAR AWS EC2 Integration #### AWS EKS (Elastic Kubernetes Service) - AWS EKS API Documentation - Cortex XSOAR AWS EKS Integration #### AWS Lambda - AWS Lambda API Documentation - Cortex XSOAR AWS Lambda Integration.
Cortex XDR - Malware Investigation	Investigates a Cortex XDR incident containing internal malware alerts. The playbook: - Enriches the infected endpoint details. - The analyst can manually retrieve the malicious file. - Performs file detonation. The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’.
Cortex XDR - Port Scan	Deprecated. Use the Cortex XDR - Port Scan - Adjusted playbook instead. Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: - Syncs data with Cortex XDR - Enriches the hostname and IP address of the attacking endpoint - Notifies management about host compromise - Escalates the incident in case of lateral movement alert detection - Hunts malware associated with the alerts across the organization - Blocks detected malware associated with the incident - Blocks IPs associated with the malware - Isolates the attacking endpoint - Allows manual blocking of ports that were used for host login following the port scan
Cortex XDR - Port Scan - Adjusted	The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. The playbook consists of the following procedures: - Enrichment and investigation of the scanner and scanned hostname and IP address. - Enrichment and investigation of the initiator user, process, file, or command if it exists. - Detection of related indicators and analysis of the relationship between the detected indicators. - Utilize the detected indicators to conduct threat hunting. - Blocks detected malicious indicators. - Endpoint isolation. This playbook supports the following Cortex XDR alert names: - Suspicious port scan - Port scan by suspicious process - Highly suspicious port scan - Port scan.
Cortex XDR - Possible External RDP Brute-Force	This playbook investigates a “Possible External RDP Brute Force” XDR Alert by gathering user, IP, and hostname information, and investigating if the following suspicious elements exists: - "IP Reputation" - Dbot Score is 2-3 - "Source geolocation" - RDP Connection made from rare geo-location - Related to campaign - IP address is related to campaign, based on TIM module - Hunting results - the hunt for indicators related to the source IP and the related campaign returned results - XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. - Risky User - The user that was identified in the attack was given a medium or high score by XDR's ITDR module. - Risky Host - The destination host that was identified in the attack was given a medium or high score by XDR's ITDR module. Set verdict method: Critical Element - The "Critical Element" input allows you to select a specific element that, if identified as suspicious, the investigation's final verdict will be deemed a "True Positive". Final Verdict - Each suspicious element is being added to an array called "Suspicious Elements", which is used to count potential security threats. The array size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive". * User Engagement - The "UserEngagementThreshold" input allows you to set the number of suspicious elements that trigger user engagement. When this threshold is met, an email will be sent to the user and their manager asking for authorization of RDP activity. If the RDP activity is not authorized by the user, the investigation's final verdict will be deemed a "True Positive".
Cortex XDR - Possible External RDP Brute-Force - Set Verdict	This playbook creating an array called "Suspicious Elements", which is used to count potential security threats. The following elements can be added to the array: - "IP Reputation" - DBot Score is 2-3 - "Source geolocation" - RDP Connection made from rare geo-location - Related to campaign - IP address is related to campaign, based on TIM module - Hunting results - the hunt for indicators related to the source IP and the related campaign returned results - XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. - Risky User - one or more risky users are involved in the incident, as identified by the Cortex XDR - IR integration's ITDR module. - Risky Host - one or more risky hosts are involved in the incident, as identified by the Cortex XDR - IR integration's ITDR module. The array will then be outputted and its size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive."
Cortex XDR - Possible External RDP Brute-Force CTF	This playbook investigates a “Possible External RDP Brute Force” XDR Alert by gathering user, IP, and hostname information, and investigating if the following suspicious elements exists: - "IP Reputation" - Dbot Score is 2-3 - "Source geolocation" - RDP Connection made from rare geo-location - Related to campaign - IP address is related to campaign, based on TIM module - Hunting results - the hunt for indicators related to the source IP and the related campaign returned results - XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. Set verdict method: Critical Element - The "Critical Element" input allows you to select a specific element that, if identified as suspicious, the investigation's final verdict will be deemed a "True Positive". Final Verdict - Each suspicious element is being added to an array called "Suspicious Elements", which is used to count potential security threats. The array size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive". * User Engagement - The "UserEngagementThreshold" input allows you to set the number of suspicious elements that trigger user engagement. When this threshold is met, an email will be sent to the user and their manager asking for authorization of RDP activity. If the RDP activity is not authorized by the user, the investigation's final verdict will be deemed a "True Positive".
Cortex XDR - PrintNightmare Detection and Response	The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE This playbook includes the following tasks: - Containment of files, endpoints, users and IP Addresses - Enrichment of indicators - Data acquisition of system info and files using Cortex XDR - Eradicating compromised user credentials ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Cortex XDR - quarantine file	Deprecated. Use Cortex XDR - quarantine file v2 instead.
Cortex XDR - Quarantine File v2	This playbook accepts "file path", "file hash" and "endpoint id" to quarantine a selected file and wait until the action is done. All 3 inputs are required to quarantine a single file. This playbook does not support the quarantine of multiple files.
Cortex XDR - Retrieve File by sha256	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. The playbook facilitates the process of retrieving files from the investigated devices, unzipping the retrieved files, and loading them into the War Room. This playbook consists of the following steps: Initially, the sub-playbook 'Cortex XDR - Get File Path from alerts by hash' examines the SHA256 file hashes and retrieves the file paths associated with each hash. As soon as the SHA256 hashes, file paths, and endpoint IDs are obtained, the playbook attempts to retrieve the files from all the investigated devices. Once the file retrieval automation has been completed successfully, the playbook will unzip the files and load them into the War Room. Note: When retrieving multiple files, ensure that the SHA256 input is set to run in a loop.
Cortex XDR - Retrieve File Playbook	Deprecated. Use Cortex XDR - Retrieve File Playbook v2 instead.
Cortex XDR - Retrieve File v2	This playbook retrieves files from selected endpoints. You can retrieve up to 20 files, from 10 endpoints. Inputs for this playbook are: - A comma-separated list of endpoint IDs. - A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required.
Cortex XDR - Run script	Deprecated. Use the `xdr-script-run` command instead. Initiates a new endpoint script execution action using a provided script unique id from Cortex XDR script library.
Cortex XDR - Search And Block Software - XQL Engine	This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block.
Cortex XDR - Search and Compare Process Executions - XDR Alerts	This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside Cortex XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: - value: process name - commands: command-line arguments.
Cortex XDR - Search and Compare Process Executions - XQL Engine	This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compare the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: - value: process name - commands: command-line arguments
Cortex XDR - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.
Cortex XDR - Unisolate Endpoint	This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input.
Cortex XDR - XCloud Cryptojacking	Investigates a Cortex XDR incident containing a Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: - Cloud enrichment: - Collects info about the involved resources - Collects info about the involved identities - Collects info about the involved IPs - Verdict decision tree - Verdict handling: - Handle False Positives - Handle True Positives - Cloud Response - Generic sub-playbook. - Notifies the SOC if a malicious verdict was found
Cortex XDR - XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: 1. If the source IP address is malicious 2. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) 3. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" 4. If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. 5. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
Cortex XDR - XCloud Token Theft - Set Verdict	--- ## Cloud Token Theft - Set Verdict Playbook The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. ### Event Search The playbook searches for events based on the attacker's IP address within the last two hours. ### Tests Performed The following tests are performed on the observed activity: 1. Malicious IP Check: Determines if the IP address is malicious. 2. CSP ASN Check: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). 3. IP and ASN History Check: Verifies if the IP address and ASN have been previously observed. 4. Region Check: Determines if the API call was made from outside the recognized region. 5. Anomalous State Check: Checks if the API call was made from an anomalous state. 6. Alert Check: Looks for any related alerts around the event, including: - Possible cloud instance metadata service (IMDS) abuse. - Impossible Traveler by cloud identity. ---
Cortex XDR - XCloud Token Theft Response	--- ## Cloud Token Theft Response Playbook The Cloud Token Theft Response Playbook provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: Cloud Enrichment: - Enriches the involved resources. - Enriches the involved identities. - Enriches the involved IPs. Verdict Decision Tree: - Determines the appropriate verdict based on the investigation findings. Early Containment using the Cloud Response - Generic Playbook: - Implements early containment measures to prevent further impact. Cloud Persistence Threat Hunting: - Conducts threat hunting activities to identify any cloud persistence techniques. Enriching and Responding to Hunting Findings: - Performs additional enrichment and responds to the findings from threat hunting. Verdict Handling: - Handles false positives identified during the investigation. - Handles true positives by initiating appropriate response actions. ---
Cortex XDR Alerts Handling	Deprecated. Use Cortex XDR - Alerts Handling v2 instead. When using the v2 version, enabling globally shared context for that playbook is required because outputs are no longer declared.
Cortex XDR Alerts Handling CTF	This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan.
Cortex XDR Alerts Handling v2	This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan - Cloud Cryptojacking - Cloud Token Theft - RDP Brute-Force - First SSO Access - Cloud IAM User Access Investigation - Identity Analytics - Malicious Pod.
Cortex XDR device control violations	Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. All the collected data will be displayed in the XDR device control incident layout. This playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users.
Cortex XDR disconnected endpoints	A Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input. The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints. The report will be sent to the recipient's provided email addresses in the playbook input. The playbook includes an incident type with a dedicated layout to visualize the collected data. To set the job correctly, you will need to. 1. Create a new recurring job. 2. Set the recurring schedule. 3. Add a name. 4. Set type to Cortex XDR disconnected endpoints. 5. Set this playbook as the job playbook. https://xsoar.pan.dev/docs/incidents/incident-jobs The scheduled run time and the timestamp relative date should be identical, If the job is recurring every 7 days, the time range should be 7 days as well.
Cortex XDR Incident Handling	Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically. *** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0. For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
Cortex XDR incident handling v2	Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.
Cortex XDR incident handling v3	This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident.
Cortex XDR incident handling v3 CTF	This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident.
Cortex XDR Incident Sync	Deprecated. No available replacement. Compares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0.
Cortex XDR IOCs - Disable expired IOCs in XDR	This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR (Main)". This playbook disables indicators in Cortex XDR after they expire from Cortex XSOAR using a loop and querying on the "xdr_pushed" tag.
Cortex XDR IOCs - Push new IOCs to XDR	This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR - Main" and should not be run on its own. This sub-playbook retrieves IOCs according to the users query input (passed from the main playbook) and pushes them into Cortex XDR, and marks them as "xdr_pushed" or "xdr_not_processed" for further processing.
Cortex XDR IOCs - Push new IOCs to XDR (Main)	This is the main playbook for Cortex XDR IOCs sync. The playbook will "sync" IOCs into Cortex XDR by pushing new IOCs in and disabling expired IOCs. The playbook utilizes Cortex XSOAR tags and loops in order to find IOCs using a query provided by the user. The playbook will iterate over the IOCs pushing them in batches into Cortex XDR. In the second phase, the playbook will disable expired IOCs that were previously pushed into Cortex XDR. We recommend running this playbook as a job a twice a day after disabling the integration sync function.
Cortex XDR Lite - Incident Handling	The Cortex XDR Lite - Incident Handling playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident and executes the following: Analysis: - Enriches all the indicators from XDR incidents and alerts, providing additional context and information about these indicators. Investigation: - Checks for related XDR alerts to the user and the endpoint by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from the command line. Verdict: - Determines the incident's verdict by considering indicator enrichment results, user and host risk levels, command line analysis, and the number of related XDR alerts (medium severity or higher) to the user and the endpoint by Mitre tactics. Verdict Handling: - Handles malicious incidents by initiating appropriate response actions, including blocking malicious indicators, isolating endpoints, and disabling user accounts. To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be `Cortex XDR - Lite`. The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`.
Cortex XDR Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
Cortex XDR Malware - Investigation And Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Cortex XDR malware incidents. It uses: - Cortex XDR insights - Command Line Analysis - Dedup - Sandbox hash search and detonation - Cortex XDR enrichment - Incident Handling (True/False Positive).
Cortex XDR Remote PsExec with LOLBIN command execution alert	The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: - Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default). - Enrich any entities and indicators from the alert and find any related campaigns. - Perform command analysis to provide insights and a verdict for the executed command. - Perform further endpoint investigation using Cortex XDR. - Checks for any malicious verdicts found to raise the severity of the alert. - Perform automatic/manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling". It depends on the data from the parent playbooks and cannot be used as a standalone version.
Courses of Action - Collection	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1005 - Data from Local System - Kill Chain phase: - Collection MITRE ATT&CK Description: The adversary is attempting to gather data of interest to accomplish their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Command and Control	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0011: command and control MITRE ATT&CK Description: The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Credential Access	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0006: Credential Access MITRE ATT&CK Description: The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Defense Evasion	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0005: Defense Evasion MITRE ATT&CK Description: The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Discovery	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0007: Discovery MITRE ATT&CK Description: The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Execution	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0002: Execution MITRE ATT&CK Description: The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Exfiltration	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0010: Exfiltration MITRE ATT&CK Description: The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Impact	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0040: Impact MITRE ATT&CK Description: The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Initial Access	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0001: Initial Access MITRE ATT&CK Description: The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Lateral Movement	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0008: Lateral Movement MITRE ATT&CK Description: The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Persistence	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0003: Persistence MITRE ATT&CK Description: The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Courses of Action - Privilege Escalation	This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase (tactic) according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Tactic: - TA0004: Privilege Escalation MITRE ATT&CK Description: The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level• local administrator• user account with admin-like access • user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Create Jira Issue	Create Jira issue allows you to open new issues. When creating the issue, you can decide to update based on on the issue's state, which will wait for the issue to resolve or close with StatePolling. Alternatively, you can select to mirror the Jira issue and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none When creating Jira issues through XSOAR, using the mirroring function, make sure that you exclude those issues when fetching incidents. To exclude these issues, tag the relevant issues with a dedicated label and exclude that label from the JQL query (Labels!=).
Create Jira Ticket - XM Cyber	XM Cyber generates a Jira ticket based on the trend in the Security Score
Create list for PTH	This playbook help analysts creating a new list of domains to monitor using CertStream integration.
Create ServiceNow Ticket	Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none.
Credential Dumping using a known tool	This playbook is designed to handle the following alerts: - Command-line arguments match Mimikatz execution - Mimikatz command-line arguments - Credential dumping via wce.exe - Credential dumping via gsecdump.exe - PowerShell runs with known Mimikatz arguments - Hash cracking using Hashcat tool - Credential dumping via fgdump.exe - Credential dumping via LaZagne - Credential dumping via pwdumpx.exe - Dumping lsass.exe memory for credential extraction - Memory dumping with comsvcs.dll The playbook executes the following stages: Early Containment: - Handles malicious alerts by terminating the causality process. Remediation: - Handles malicious alerts by suggesting the analyst to isolate the endpoint.
CrowdStrike Endpoint Enrichment	Deprecated. Use CrowdStrike Falcon instead.
CrowdStrike Falcon - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in CrowdStrike Falcon. The playbook uses the integration "CrowdStrike Falcon".
CrowdStrike Falcon - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.
CrowdStrike Falcon - Get Detections by Incident	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables getting CrowdStrike Falcon detection details based on the CrowdStrike incident ID.
CrowdStrike Falcon - Get Endpoint Forensics Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.
Crowdstrike Falcon - Isolate Endpoint	This playbook will auto isolate endpoints by the device ID that was provided in the playbook.
CrowdStrike Falcon - Retrieve File	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.
CrowdStrike Falcon - Search Endpoints By Hash	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256/MD5/SHA1 hash.
CrowdStrike Falcon - Search Endpoints By Indicators	This playbooks searches for different indicators (IP,IPV6,File hashes,Domain) in the crowdstrike falcon console. The output will be all the endpoints found associated with provided indicators. Provided agent id as an input will be excluded from the returned list.
CrowdStrike Falcon - SIEM ingestion Get Incident Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the field for the incident ID or detection ID and the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type.
CrowdStrike Falcon - T1059 - Command and Scripting Interpreter	This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. The playbook executes the following stages: Analysis - Initiates the CommandLineAnalysiss script which will determine if the command lines have any suspicious artifacts that might indicate malicious behavior. - Enriches any indicators found during the command lines analysis phase. Investigative Actions: - In case malicious indicators were found, the playbook will initiate a check against CrowdStrike Falcon to identify if any other endpoint has been associated with the same indicators. - If there are any, the playbook will update the layout and create a new incident for further investigation. Remediation: - Terminate the process if the CrowdStike Falcon agent doesn't block it. - If the process failed or the parent process command line was suspicious as well, a manual action will be provided to the analyst to choose how to proceed further: - Terminate the parent process - Isolate the endpoint Closure Steps: - Handle malicious alerts by closing the alert as True Positive. - Handle non-malicious alerts by closing the alert as False Positive.
CrowdStrike Falcon - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.
Crowdstrike Falcon - Unisolate Endpoint	This playbook unisolates devices according to the device ID that is provided in the playbook input.
CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File	This playbook uploads, detonates, and analyzes files for the CrowdStrike Falcon Intelligence Sandbox.
CrowdStrike Falcon Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables enriching CrowdStrike Falcon incidents by pivoting to their detections as well as mapping all the relevant data to the Cortex XSOAR incident fields.
CrowdStrike Falcon Malware - Investigation and Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike Falcon malware investigation, including: - Extracting and displaying MITRE data from the EDR and sandboxes - Deduplicating similar incidents - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. - Verifying the actions taken by the EDR - Analyzing the command line - Searching for relevant hashes in additional hosts in the organization - Retrieving data about the host, including process list and network connections - Performing containment and mitigation actions as part of handling false/true positives - Setting the relevant layouts
CrowdStrike Falcon Malware - Verify Containment Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook verifies and sets the policy actions applied by CrowdStrike Falcon.
CrowdStrike Falcon Sandbox - Detonate file	Deprecated. Use the cs-falcon-sandbox-submit-file command with polling=true instead.
CrowdStrike Rapid IOC Hunting	Deprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found.
CrowdStrike Rapid IOC Hunting v2	Deprecated. Use CrowdStrike Falcon instead.
CTF 1 - Get to know XSOAR8	Get to know XSOAR 8 - Run this playbook and follow the questions.
CTF 2 - Classify an incident - RDP Brute force	Classify an RDP Brute Force Incident - Run this playbook and follow the questions.
CTF-X	Not so easy...
CVE Enrichment - Generic	Deprecated. Use "CVE Enrichment - Generic v2" playbook instead. Enrich CVE using one or more integrations.
CVE Enrichment - Generic v2	This playbook performs CVE Enrichment using the following integrations: - VulnDB - CVE Search - IBM X-Force Exchange
CVE Exposure - RiskSense	Block IPs and apply the tag to assets that are vulnerable to the specified CVE.
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds * Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
CVE-2021-34527 | CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: - Manual actions to mitigate the exploit - Search Vulnerable Devices using the CVE - Query SIEM, FW, XDR to detect malicious activity and compromised hosts - Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2021-40444 - MSHTML RCE	CVE-2021-4044 refers to the MSHTML engine, that has been found vulnerable to arbitrary code execution by a specially crafted Microsoft Office document or rich text format file. Mitigations: Microsoft official patch addressing CVE-2021-40444 Several workarounds suggested by Microsoft. Researchers have validated this attack triggered in Windows Explorer with “Preview Mode” enabled, even in just a rich-text format RTF file (not an Office file and without ActiveX). This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation mentioned above. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, Files and Process creation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Block indicators automatically or manually. Provide workarounds and detection capabilities. * Microsoft official CVE-2021-40444 patch. More information: Microsoft MSHTML Remote Code Execution Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2021-44228 - Log4j RCE	Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Affected Version Apache Log4j 2.x <= 2.17.0 This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Collect related known indicators from several sources. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Search for possible vulnerable servers using Xpanse and Prisma Cloud. Block indicators automatically or manually. Mitigations: Apache official CVE-2021-44228 patch. Unit42 recommended mitigations. Detection Rules. Snort Suricata Sigma Yara Zeek Intel More information: Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2022-26134 - Confluence RCE	Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability. Atlassian has released the following versions to address this issue: Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 which contain a fix for this issue. This playbook includes the following tasks: Collect detection rules. Exploitation patterns & IoCs hunting using PANW Next-Generation Firewalls and 3rd party SIEM products. Cortex Xpanse policies coverage. Provides Atlassian workarounds and patched versions. More information: Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) Confluence Security Advisory 2022-06-02 Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2022-30190 - MSDT RCE	On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec. The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability. This playbook includes the following tasks: Collect detection rules. Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products. Cortex XDR BIOCs coverage. Provides Microsoft workarounds and detection capabilities. More information: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows	On November 1, OpenSSL released a security advisory describing two high severity vulnerabilities within the OpenSSL library, CVE-2022-3786 and CVE-2022-3602. OpenSSL versions from 3.0.0 - 3.0.6 are vulnerable, with 3.0.7 containing the patch for both vulnerabilities. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. The vulnerability described in CVE-2022-3602 allows an attacker to obtain a 4-byte overflow on the stack by crafting a malicious email address within the attacker-controlled certificate. The overflow will result in a crash (most likely scenario) or potentially remote code execution (much less likely). In CVE-2022-3786, an attacker can achieve a stack overflow of arbitrary length by crafting a malicious email address within the attacker-controlled certificate. Both vulnerabilities are “triggered through X.509 certificate verification, specifically, name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.” The playbook includes the following tasks: Hunting for active processes running OpenSSL vulnerable versions using: Cortex XDR Splunk Azure Sentinel Cortex Xpanse Prisma PANOS Mitigations: OpenSSL official patch More information: Unit42 Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows NCSC-NL - OpenSSL overview Scanning software Note: This is a beta playbook that lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell	UPDATE A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang. While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF. The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA). This playbook introduces several updates in response to the new discovery: - Hunting: - Detecting possibly successful exploitation of the OWA SSRF vulnerability. - Mitigations: - IIS URL Rewrite rule for the modified exploitation URI path. - Remediation: - Block Indicators - Generic v3 playbook. Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. This playbook includes the following tasks: Collect detection rules, indicators and mitigation tools. Exploitation patterns hunting using Cortex XDR - XQL Engine. Exploitation patterns hunting using 3rd party SIEM products: Azure Sentinel Splunk QRadar Elasticsearch Indicators hunting using: PAN-OS Splunk QRadar Provides Microsoft mitigation and detection capabilities. More information: Threat Brief: OWASSRF Vulnerability Exploitation Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell) References: OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER ProxyNotShell— the story of the claimed zero days in Microsoft Exchange Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2023-23397 - Microsoft Outlook EoP	### CVE-2023-23397 - Critical Elevation of Privilege vulnerability in Microsoft Outlook #### Summary Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. #### Affected Products All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected. #### Technical Details CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required. The threat actor is using a connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2023-23397 - Microsoft Outlook EoP playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Hunting: - Panorama Threat IDs - Cortex XDR - XQL hunting query - BTP hunting - Microsoft PowerShell hunting script - Advanced SIEM hunting queries - Indicators hunting - Endpoint by CVE hunting Mitigations: - Cortex XDR Advanced API Monitoring - Microsoft official CVE-2023-23397 patch - Microsoft workarounds - Detection Rules - Yara References: Microsoft Mitigates Outlook Elevation of Privilege Vulnerability CVE-2023-23397 Audit & Eradication Script Neo23x0 Yara Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2023-34362 - MOVEit Transfer SQL Injection	### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer. #### Summary A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data. To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches. #### Affected Products | Affected Version | Fixed Version | Documentation | |-------------------------------|---------------------------|-------------------------------------| | MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | MOVEit 2023 Upgrade Documentation | | MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | MOVEit 2022 Upgrade Documentation | | MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | MOVEit 2022 Upgrade Documentation | | MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | MOVEit 2021 Upgrade Documentation | | MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | MOVEit 2021 Upgrade Documentation | | MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See KB 000234559 | | MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide | This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type. The playbook includes the following tasks: IoCs Collection - Blog IoCs download - Yara Rules download - Sigma rules download Hunting: - Cortex XDR XQL exploitation patterns hunting - Cortex Xpanse external facing instances hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting The hunting queries are searching for the following activities: - ASPX file creation by w3wp.exe - IIS compiling binaries via the csc.exe on behalf of the MOVEit - Detects get requests to specific exploitation related files Mitigations: - Progress official CVE-2023-34362 patch - Progress mitigation measures - Detection Rules - Yara - Sigma References: CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief MOVEit Transfer Critical Vulnerability (May 2023) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2023-36884 - Microsoft Office and Windows HTML RCE	## CVE-2023-36884 - Microsoft Office and Windows HTML RCE Summary: Microsoft recently detected a sophisticated phishing campaign orchestrated by a threat actor called Storm-0978. The targets of this campaign were defense and government organizations in Europe and North America. The attackers exploited the previously undisclosed CVE-2023-36884, introduced in July's recent Patch Tuesday release. CVE-2023-36884 is affecting both Office and Windows. This zero-day vulnerability enables remote code execution through specially crafted Microsoft Office documents. This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2023-36884 - Office and Windows HTML RCE playbook and Rapid Breach Response incident type. The playbook includes the following tasks: IoCs Collection - Unit42 IoCs download Hunting: - PANW Hunting: - Cortex XDR XQL exploitation patterns hunting - Panorama Threat IDs hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting - Endpoints by CVE hunting The hunting queries are searching for the following activities: - Detects a Microsoft Office file drops a file called 'file001.url'. - Suspicious New Instance Of An Office COM Object - Change PowerShell Policies to an Insecure Level `Please note that the threat hunting queries are related to the behavior identified as part of the exploitation patterns and may result in false positive detections.` Mitigations: - Microsoft mitigation measures References: CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief Storm-0978 attacks reveal financial and espionage motives
CVE-2024-47575 - FortiManager Authentication Bypass	CVE-2024-47575, also known as FortiJump, is a critical zero-day vulnerability affecting FortiManager, a centralized management platform for Fortinet devices. The vulnerability arises due to missing authentication checks in specific FortiManager REST API endpoints. An unauthenticated attacker with network access to the FortiManager device can exploit this flaw to execute arbitrary code or commands, potentially leading to complete system compromise. --- ## Affected Versions | FortiManager Version | Status | |------------------------|--------------------| | 7.2.0 to 7.2.3 | Affected | | 7.0.0 to 7.0.7 | Affected | | 6.4.0 to 6.4.11 | Affected | | 6.2.x and earlier | Potentially Affected | | 7.2.4 and above | Patched | | 7.0.8 and above | Patched | | 6.4.12 and above | Patched | Note: Old FortiAnalyzer models 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E with the following feature enabled (FortiManager on FortiAnalyzer): config system global set fmg-status enable end And at least one interface with the fgfm service enabled is also impacted by this vulnerability. --- ## Playbook Flow 1. Create, Tag, and Block Indicators 2. Hunt Automatically for Suspicious Behavior Related to the exploitation flow using XQL Note: The 'fortinet_fortimanager_raw' dataset must be available for the XQL queries completion. 3. Provide Mitigations and Workarounds --- References: - Fortinet PSIRT Advisory FG-IR-24-423 --- By following this playbook, organizations can effectively respond to and mitigate the risks associated with CVE-2024-47575 (FortiJump).
CVE-2024-6387 - OpenSSH RegreSSHion RCE	RegreSSHion Vulnerability (CVE-2024-6387) On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers (sshd) on glibc-based Linux systems. This vulnerability, known as RegreSSHion and tracked as CVE-2024-6387, can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity (CVSS 8.1). #### Impacted Versions The vulnerability impacts the following OpenSSH server versions: - OpenSSH versions between 8.5p1 and 9.8p1 - OpenSSH versions earlier than 4.4p1, if they have not been backport-patched against CVE-2006-5051 or patched against CVE-2008-4109 #### Unaffected Versions The SSH features in PAN-OS are not affected by CVE-2024-6387. ### The playbook includes the following tasks: Collect, Extract and Enrich Indicators Collect known indicators from Unit42 blog Threat Hunting Searches vulnerable endpoints using Prisma Cloud and Cortex XDR - XQL queries Mitigations: OpenSSH official CVE-2024-6387 patch Unit42 recommended mitigations This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2024-6387 - OpenSSH RegreSSHion RCE playbook and Rapid Breach Response incident type. Reference: Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability . Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2025-31324 - SAP NetWeaver Visual Composer	CVE-2025-31324 is a critical zero-day vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. The vulnerability arises from missing authorization checks, allowing unauthenticated attackers to upload malicious executable binaries. Exploitation of this flaw can lead to full remote code execution (RCE) on affected systems, posing a significant risk to confidentiality, integrity, and availability. ## CVE-2025-31324 - SAP NetWeaver RCE Vulnerability ## Vulnerability Overview - Component Affected: SAP NetWeaver Visual Composer Metadata Uploader - Endpoint: `/developmentserver/metadatauploader` - CVE ID: CVE-2025-31324 - CVSS Score: 10.0 (Critical) - Exploitability: Unauthenticated remote attackers can exploit this without user interaction This flaw allows unauthenticated attackers to upload arbitrary files (e.g., JSP web shells), enabling remote code execution with the same privileges as the SAP application server process. Source: Unit42 - Palo Alto Networks ## Mitigation and Recommendations - Apply Patch: SAP Note #3594142 (released April 24, 2025) - Disable Visual Composer if not in use - Restrict Access to the vulnerable endpoint - Monitor for IoCs in `/irj/servlet_jsp/irj/root/` and suspicious traffic ## Conclusion CVE-2025-31324 is actively exploited and is critically severe. Organizations should patch immediately, monitor for compromise, and disable or restrict vulnerable components. View official CVE details on NIST ## Playbook Triggers - Manually - "CVE Exploitation - 986328356" Agent rule ## Playbook Flow 1. Using XQL, identify potential SAP NetWeaver instances in your environment. 2. Using XQL, check if there are events that point to any potential webshells downloaded in the directories. 3. Directory enumeration to identify if there are already any suspicious files that might indicate a webshell. 4. Collect IOCs from a Unit42 blog, search them using the "Threat Hunting - Generic" playbook (supports Palo Alto networks products, Qradar, and Splunk), and block those indicators using the "Containment Plan - Block Indicators" playbook. 5. Provides Mitigation recommendations.
CyberArk - Brute Force_Investigation	This playbook investigates a “Brute Force” incident by gathering user and IP information and performs remediation based on the information gathered and received from the user. Used Sub-playbooks: Enrichment for Verdict Block IP - Generic v3 * Block Account - Generic v2 If you wish to link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = CyberArk Failed Logins
CyberBlindspot Incident Management	This playbook runs the incidents through indicator enrichment, then based on the mirroring settings, it can communicate with the remote server to assist the user in the next course of action (Whether it be closing the incident, initiating the takedown of an online asset or simply waiting for a process on the remote server to end) to take on the incident if any.
CyberBlindspot Incident Management V2	This playbook runs the incidents through indicator enrichment, then based on the mirroring settings, it can communicate with the remote server to assist the user in the next course of action (Whether it be closing the incident, initiating the takedown of an online asset or simply waiting for a process on the remote server to end) to take on the incident if any.
CyberBlindspot Incident Management V3	This playbook runs the incidents through indicator enrichment, then based on the mirroring settings, it can communicate with the remote server to assist the user in the next course of action (Whether it be closing the incident, initiating the takedown of an online asset or simply waiting for a process on the remote server to end) to take on the incident if any.
CyberBlindspot Retrieve Incident Screenshots	This playbook retrieves screenshot evidence from the CyberBlindspot API and adds it to the incident.
Cybereason - Download Close File	This playbook aborts a file download operation which is in progress based on the Malop ID and username provided.
Cybereason - Download File	This playbook downloads a file from Cybereason platform, based on the Malop ID and username provided.
Cyberpion Domain State	Allows analyst to get basic information about the domain
CyberTotal Auto Enrichment - CyCraft	This playbook automatically enriches indicators (including IPs, URLs, domains; MD5, SHA-1, and SHA-256 file hashes). Playbook input: the indicators you want to enrich. Playbook output: detection engine results, positive detections, detection ratios; as well as severity, confidence, and threat scores.
CyberTotal Whois - CyCraft	This playbook is used to automatically retrieve Whois information regarding IPs, URLs and domains. Playbook input: IPs, URLs, domains. Playbook output: Whois lookup information.
Cyble Intel Alert	This is a playbook which will handle the alerts coming from the Cyble Events service
Cyble Vision Alert V2
Cyren Inbox Security Default	Processes Cyren Incidents, sets resolutions, and applies remediations to end-user mailboxes.
D2 - Endpoint data collection	Uses Demisto's d2 agent to collect data from an endpoint for IR purposes. Input: Hostname (default: ${Endpoint.Hostname}) OS (default: windows) Credentials (default: Admin) Path (default: None)
Darkfeed - malware download from feed	Set this playbook as an automated job in order to automatically download malware from new Darkfeed IOCs and run them through the "Darkfeed IOC detonation and proactive blocking" playbook
Darkfeed IOC detonation and proactive blocking	Download malicious files from a Darkfeed IOC, detonate them in automated sandboxes, and extract and block any additional indicators and files.
Darkfeed Threat hunting-research	Automatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network.
Darktrace ASM Basic Risk Handler	Runs a common ASM Risk workflow for fetched ASM Risk alerts.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email incidents.
Darktrace Email Update Incident Fields	Update all incident fields that may change over time.
DataBee Enrichment
DBot Create Phishing Classifier	Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Create a phishing classifier using machine learning technique, based on email content
DBot Create Phishing Classifier Job	Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.
DBot Create Phishing Classifier V2	Create a phishing classifier using machine learning techniques, based on email content.
DBot Create Phishing Classifier V2 Job	Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.
DBot Indicator Enrichment - Generic	Get indicators internal Dbot score
DeCYFIR - v1	DeCYFIR API's provides External Threat Landscape Management insights.
Dedup - Generic	Deprecated. Use "Dedup - Generic v2" playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Dedup - Generic v2	Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Dedup - Generic v3	Deprecated. Use the `Dedup - Generic v4` playbook instead. This playbook identifies duplicate incidents using one of the supported methods. Select one of the following methods to identify duplicate incidents in Cortex XSOAR. - ml: Machine learning model, which is trained mostly on phishing incidents. -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing incidents. For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.
Dedup - Generic v4	This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database. Note: To identify similar incidents you must properly define the playbook inputs.
DeDup incidents	Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found.
DeDup incidents - ML	Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation.
DeepL Translate Document
Default	This playbook executes when no other playbook is associated with an incident. It enriches indicators in an incident using one or more integrations.
Delete Custom Content	This playbook deletes custom content from the system. It deletes Playbooks, Scripts, Layouts, Classifiers, Mappers, Incident Types and Incident Fields.
Demisto Self-Defense - Account policy monitoring playbook	Deprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.
Departing Employee Auto-Add	Queries stand-down tickets from a ticketing system and passes relevant employee data to the Add Employees to Departing Employee Watchlist playbook. Intended to be run as a scheduled job.
Departing Employee Clean-Up	Queries the Departing Employee watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from Departing Employee Watchlist playbook. Intended to be run as a scheduled job.
Detect & Manage Phishing Campaigns	This playbook is used to find, create and manage phishing campaigns. When a number of similar phishing incidents exist in the system, the playbook can be used to do the following: 1. Find and link related incidents to the same phishing attack (a phishing campaign). 2. Search for an existing Phishing Campaign incident, or create a new incident for the linked Phishing incidents. 3. Link all detected phishing incidents to the Phishing Campaign incident that was found or that was created previously. 4. Update the Phishing Campaign incident with the latest data about the campaign, and update all related phishing incidents to indicate that they are part of the campaign.
Detonate and Analyze File - Generic	This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.
Detonate and Analyze File - JoeSecurity	Deprecated. Use the joe-submit-sample command instead.
Detonate File - ANYRUN	Detonates one or more files using the ANYRUN sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. All file types are supported.
Detonate File - BitDam	Detonates one or more files using BitDam integration. Returns verdict to the War Room and file reputations to the context data. Supported file types are mainly PDF & microsoft office software/
Detonate File - CrowdStrike Falcon Intelligence Sandbox	Deprecated. Use Detonate File - CrowdStrike Falcon Intelligence Sandbox v2 instead.
Detonate File - CrowdStrike Falcon Intelligence Sandbox v2	Detonates a file using CrowdStrike Falcon Intelligence Sandbox. Accepted file formats: Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub PDF APK Executable JAR Windows script component: .sct Windows shortcut: .lnk Windows help: .chm HTML application: .hta Windows script file: .wsf Javascript: .js Visual Basic: .vbs, .vbe Shockwave Flash: .swf Perl: .pl Powershell: .ps1, .psd1, .psm1 Scalable vector graphics: .svg Python: .py Linux ELF executables Email files: MIME RFC 822 .eml, Outlook .msg.
Detonate file - CrowdStrike Falcon Sandbox v2	Detonates a File using CrowdStrike Falcon sandbox.
Detonate File - Cuckoo	Detonating file with Cuckoo
Detonate File - FireEye AX	Detonate one or more files using the FireEye AX integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM, JPG, JPEG, GIF, PNG, XLSX
Detonate File - FireEye Detection on Demand	Detonate one or more files using the FireEye Detection on Demand integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
Detonate File - Generic	Detonate files through one or more active integrations that support file detonation. Supported integrations: - SecneurX Analysis - ANY.RUN - McAfee Advanced Threat Defense - WildFire - Lastline - Cuckoo Sandbox - Cisco Secure Malware Analytics (ThreatGrid) - JoeSecurity - CrowdStrike Falcon Sandbox - FireEye AX - VMRay Analyzer - Polygon - CrowdStrike Falcon Intelligence Sandbox - OPSWAT Filescan.
Detonate File - Group-IB TDS Polygon	Detonate file using Group-IB THF Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types: 7z, ace, ar, arj, bat, bz2, cab, chm, cmd, com, cpgz, cpl, csv, dat, doc, docm, docx, dot, dotm, dotx, eml, exe, gz, gzip, hta, htm, html, iqy, iso, jar, js, jse, lnk, lz, lzma, lzo, lzh, mcl, mht, msg, msi, msp, odp, ods, odt, ots, ott, pdf, pif, potm, potx, pps, ppsm, ppsx, ppt, pptm, pptx, ps1, pub, py, pyc, r, rar, reg, rtf, scr, settingcontent-ms, stc, svg, sxc, sxw, tar, taz, .tb2, .tbz, .tbz2, tgz, tlz, txz, tzo, txt, url, uue, vbe, vbs, wsf, xar, xls, xlsb, xlsm, xlsx, xml, xz, z, zip.
Detonate File - HybridAnalysis	Deprecated. Use cs-falcon-sandbox-submit-sample with polling=true instead.
Detonate File - JoeSecurity	Deprecated. Use the joe-submit-sample command instead.
Detonate File - JoeSecurity V2	The Detonate File using Joe Sandbox Process is designed to streamline and enhance the security assessment of files. This automated system accepts a user-submitted file, sends it for in-depth analysis using Joe Sandbox technology, and returns comprehensive results as attachments to the user. The process is designed to be swift, efficient, and secure, providing users with valuable insights into potential threats and vulnerabilities within their files.
Detonate File - Lastline	Detonates a File using the Lastline sandbox. Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH
Detonate File - Lastline v2	Detonates a File using the Lastline sandbox. Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH
Detonate File - ReversingLabs A1000	Upload sample to ReversingLabs A1000 appliance and automatically retrieve full & classification reports. Calculate final classification.
Detonate File - ReversingLabs TitaniumScale	Upload sample to ReversingLabs TitaniumScale instance and retrieve the analysis report.
Detonate File - SecneurX Analysis	Detonates a file using the SecneurX Analysis Integration. Returns relevant reports to the War Room and file reputations to the context data.
Detonate File - SNDBOX	Deprecated. No available replacement.
Detonate File - ThreatGrid	Deprecated. Use Detonate File - ThreatGrid v2 instead.
Detonate File - ThreatGrid v2	Detonate one or more files using the ThreatGrid integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM
Detonate File - ThreatStream	Detonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.
Detonate File - VirusTotal (API v3)	Detonate a file through VirusTotal (API v3)
Detonate File - VMRay	Detonates a file with VMRay.
Detonate File From URL - ANYRUN	Detonates one or more remote files using the ANYRUN sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. This type of analysis works only for direct download links.
Detonate File From URL - JoeSecurity	Deprecated. Use the joe-submit-sample command instead.
Detonate File From URL - WildFire	Deprecated. Use Detonate File From URL - WildFire v2 instead.
Detonate File From URL - WildFire v2	Detonate one or more files using the Wildfire v2 integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z.
Detonate Private File - VirusTotal Private Scanning	Detonate a private file through VirusTotal Private Scanning service
Detonate Remote File from URL - McAfee ATD	Detonates a File from a URL using the McAfee Advanced Threat Defense sandbox integration.
Detonate URL - ANYRUN	Detonates one or more URLs using the ANYRUN sandbox integration. Returns relevant reports to the War Room and url reputations to the context data.
Detonate URL - CrowdStrike	Deprecated. Use the cs-falcon-sandbox-submit-url command with polling=true instead.
Detonate URL - CrowdStrike Falcon Intelligence Sandbox	Deprecated. Use Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2 instead.
Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2	Detonate one or more URL's using the CrowdStrike Falcon Intelligence Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
Detonate URL - Cuckoo	Detonating URL with Cuckoo
Detonate URL - FireEye AX	Detonating URL with FireEye AX.
Detonate URL - Generic	Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation.
Detonate URL - Generic v1.5	Detonate URL through one or more active integrations that support URL detonation. Supported integrations: - SecneurX Analysis - ANY.RUN - McAfee Advanced Threat Defense - WildFire - Lastline - Cuckoo Sandbox - Cisco Secure Malware Analytics (ThreatGrid) - JoeSecurity - CrowdStrike Falcon Sandbox - FireEye AX - VMRay Analyzer - Polygon - CrowdStrike Falcon Intelligence Sandbox - OPSWAT Filescan - ANYRUN - VirusTotal - Anomali ThreatStream - Hatching Triage - ThreatGrid
Detonate URL - Group-IB TDS Polygon	Detonate URL using Group-IB THF Polygon integration.
Detonate URL - Hatching Triage	Detonating URL with Hatching Triage.
Detonate URL - Hybrid Analysis	Deprecated. Use cs-falcon-sandbox-submit-url with polling=true instead.
Detonate URL - JoeSecurity	Deprecated. Use the joe-submit-url command instead.
Detonate URL - Lastline	Detonates a URL using the Lastline sandbox integration.
Detonate URL - Lastline v2	Detonates a URL using the Lastline sandbox integration.
Detonate URL - McAfee ATD	Detonates a URL using the McAfee Advanced Threat Defense sandbox integration.
Detonate URL - Phish.AI	Deprecated. Vendor has declared end of life for this product. No available replacement.
Detonate URL - SecneurX Analysis	Detonates a URL using the SecneurX Analysis integration. Returns relevant reports to the War Room and file reputations to the context data.
Detonate URL - ThreatGrid	Deprecated. Use Detonate URL - ThreatGrid v2 instead.
Detonate URL - ThreatGrid v2	Detonate one or more URLs using the ThreatGrid integration.
Detonate URL - ThreatStream	Detonates one or more URLs using the Anomali ThreatStream sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.
Detonate URL - VirusTotal (API v3)	Detonate URL through VirusTotal (API v3) integration.
Detonate URL - VMRay	Detonates a URL using the VMRay sandbox integration.
Detonate URL - WildFire v2.1	Deprecated. Use Detonate URL - WildFire v2.2 instead.
Detonate URL - WildFire v2.2	Detonate a webpage or remote file using the WildFire v2 integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types: APK, JAR, DOC, DOCX, RTF, OOXLS, XLSX, PPT, PPTX, XML, PE32, PDF, DMG, PKG, RAR, 7Z, JS.
Detonate URL - WildFire-v2	Deprecated. Use Detonate URL - WildFire v2.2 instead.
Digital Defense FrontlineVM - Old Vulnerabilities Found	This will query Frontline.Cloud's active view for any critical level vulnerabilities found to be older than 90 days.
Digital Defense FrontlineVM - PAN-OS block assets	This playbook will pull Panorama queried threat logs and check for any correlating assets that are found to have a minimum of high level vulnerabilities. If so, it will block the the IP using Panorama's PAN-OS - Block IP and URL - External Dynamic List playbook.
Digital Defense FrontlineVM - Scan Asset Not Recently Scanned	This playbook will pull the IP address from the details value of an incident and check if that asset has been scanned within the past 60 days. If not then it will prompt to perform a scan on the asset.
Digital Guardian Demo Playbook	This playbook will show how to handle an exfiltration event through Digital Guardian by emailing a user's manager and adding the user to a DG Watchlist.
Digital Shadows - CVE_IoC Assessment & Enrichment	Enrichment of CVE IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - Domain Alert Intelligence (Automated)	Deprecated. No available replacement playbook
Digital Shadows - Domain_IoC Assessment & Enrichment	Enrichment of Domain IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - IoC Assessment & Enrichment	Enrich indicators by providing intelligence and more associated indicators based on confirmed reporting in Digital Shadows SearchLight.
Digital Shadows - IP_IoC Assessment & Enrichment	Enrichment of IP IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - MD5_IoC Assessment & Enrichment	Enrichment of MD5 IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - SHA1_IoC Assessment & Enrichment	Enrichment of SHA1 IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - SHA256_IoC Assessment & Enrichment	Enrichment of SHA256 IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Digital Shadows - URL_IoC Assessment & Enrichment	Enrichment of URL IOC types - sub-playbook for IOC Assessment & Enrichment playbook.
Dispatch Incident - Vectra Detect	This playbook is called from the Process Incident - Vectra Detect playbook. It will fetch all active detections for the entity under investigation. It will then assign the entity to a user; if an assignment already exists, it will update that assignment and add a note in Vectra.
Dispatch Incident - Vectra XDR	This playbook is called from the Process Incident - Vectra XDR playbook. It will fetch all active detections for the entity under investigation. It will then assign the entity to a user; if an assignment already exists, it will update that assignment and add a note in Vectra.
DLP - Get Approval	Get an approver response for an exemption request from a user.
DLP - Get User Feedback	Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed.
DLP - Get User Feedback via Email	Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed.
DLP - User Message App Check	Check if the given message app exists and is configured and retrieve the user details from it.
DLP Incident Feedback Loop	This playbook handles Palo Alto Networks Enterprise DLP incidents. It Collects feedback from the user about blocked activities and automates the approval process, if required. Supported communication methods are Slack, Microsoft Teams and Email.
Domain Enrichment - Generic	Deprecated. Use "Domain Enrichment - Generic v2" playbook instead. Enrich Domain using one or more integrations. Domain enrichment includes: Domain reputation Threat information
Domain Enrichment - Generic v2	Enrich domains using one or more integrations. Domain enrichment includes: Threat information Domain reputation using !domain command
Domain Enrichment - RST Threat Feed	Enrich domains using RST Threat Feed integration
DomainTools Associate Indicator to Incident	This playbook calls the AssociateIndicatorsToIncident Script to Associate an Indicator to its the current incident created. Checks for additionalindicators in the customFields of an incident.
DomainTools Auto Pivots	This playbook retrieves the Iris Investigate profile of domain and automatically identifies potential connected infrastructure related to artifacts based on DomainTools Guided Pivot value.
DomainTools Check Domain Risk Score By Iris Tags	This playbook will alert a user if a monitored set of domains, labeled by Iris Investigate tags, becomes high risk. To use it, tag domains in the Iris Investigate UI. Enter a comma-separated list of tags to monitor to the playbook input "dt_monitored_iris_tags" and run this playbook on a scheduled basis. It will add any new high risk domains (based on the threshold defined in this playbook) as indicators on the associated incident.
DomainTools Check New Domains by Iris Hash	This playbook helps monitor for new domains matching given infrastructure parameters (registrar, DNS, SSL certs, etc.). Start with a search in the Iris Investigate UI. Add an advanced search filter for "First Seen", "Within", "the last day" (for example) to your search. Run the search, then click "Import/Export Search" to view the Search Hash. Copy that into this playbook trigger. Every time this playbook runs, it will pull the new indicators matching the search and add them to the current incident
DomainTools Iris Risk Score	This playbook retrieves the Domain Risk Score of the given domain and check if the risk score is over the threshold and throws an Alert for the Analyst to manually review the domain indicator.
DropBox - Massive scale operations on files	This playbook investigates “Massive File Alterations” and “DropBox - Massive File Downloads” alerts by gathering user and IP information and performing remediation based on the information gathered and received from the user. Used Sub-playbooks: Enrichment for Verdict Block Indicators - Generic v3 Block IP - Generic v3 Block Account - Generic v2 If you wish to link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation Alert Name = DropBox - Massive File Alterations, DropBox - Massive File Downloads
Druva-Ransomware-Response	Use Druva-Ransomware-Response to stop the spread of ransomware and avoid reinfection or contamination spread.
DSAR Inventa Handler	Handling DSAR requests
DSPM Jira Ticket Creation	This playbook automates the process of creating and managing Jira issues for DSPM-related risks detected in XSOAR incidents. It creates a Jira ticket with risk details, checks for errors, updates incident details, and sends a Slack notification with ticket information. This streamlines risk tracking and notification.
DSPM Multi-Cloud Risk Remediation	The playbook ensures efficient incident resolution and compliance with security policies by guiding the user through decision points based on incident type, such as empty storage assets or assets open to the world. It concludes by updating the incident status and closing the playbook upon resolution.
DSPM notify user in case of error	The DSPM Notify User in Case of Error playbook is designed to handle errors in DSPM incidents by notifying users and managing Slack notifications.
DSPM Re-run incident	The "DSPM Re-run Incident" playbook is designed to automatically re-run DSPM incidents. It starts by executing the RerunDSPMIncidents task, which reinitiates the incidents for further investigation or processing. After completing this task, the playbook proceeds to close the current incident using the closeInvestigation script. This playbook ensures that DSPM incidents can be efficiently retried and closed upon completion.
DSPM Remediation for Empty storage asset	This playbook is designed to remediate risks associated with empty storage assets across AWS, Azure, and GCP environments. It identifies the cloud provider for the asset and proceeds to delete the storage container or bucket accordingly. Additionally, it sends notifications via Slack to inform stakeholders about the status of the remediation process.
DSPM Remediation for Sensitive asset open to world	The DSPM Remediation playbook for Sensitive Asset Open to World is designed to handle incidents where sensitive assets are exposed to the public, with specific focus on remediating this vulnerability across several cloud providers(for example AWS).
DSPM Send Slack Notification to User	"Send Slack Notification to User" playbook is designed to notify a user via Slack and handle their response. It begins by sending a Slack notification to a specified email using the SlackBlockBuilder script. Afterward, it waits for the user's response until a predefined time, as configured in Prisma Cloud DSPM. Once the response is received, it is inserted into the incident's context. If there is an error in generating the Slack block, the incident is added for a re-run. Finally, the playbook extracts the user's response from the Slack block state for further processing.
DSPM Valid User Response	The DSPM Valid User Response playbook is designed to assess and manage user responses to DSPM-identified risks. It checks the user’s selected action (e.g., creating a Jira ticket or remediating specific risk types) and initiates the appropriate remediation or notification workflows. If no user response is received, the playbook logs the incident for future action, ensuring comprehensive tracking and response handling for DSPM incidents.
EDL Monitor- Email EDL content	You can use the playbook (or a cloned copy) with a job to check the EDL on a schedule.
Email Address Enrichment - Generic	Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Get email address reputation using one or more integrations
Email Address Enrichment - Generic v2	Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Enrich email addresses. Email address enrichment involves: - Getting information from Active Directory for internal addresses - Getting the domain-squatting reputation for external addresses
Email Address Enrichment - Generic v2.1	Enrich email addresses. - Get information from Active Directory for internal addresses - Get the domain-squatting reputation for external addresses - Email address reputation using !email command.
Email Headers Check - Generic	This playbook executes one sub-playbook and one automation to check the email headers: - Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score). - CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.
Employee Offboarding - Delegate	This playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Gather User Information	This playbook gathers user information as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Retain & Delete	This playbook playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook.
Employee Offboarding - Revoke Permissions	This playbook revokes user permissions as part of the IT - Employee Offboarding playbook.
Employee Status Survey	Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Manages a crisis event where employees have to work remotely due to a pandemic, issues with the workplace or similar situations. Sends a questionnaire to all direct reports under a given manager. The questionnaire asks the employees for their health status and whether they need any help. The data is saved as employee indicators in Cortex XSOAR, while IT and HR incidents are created to provide assistance to employees who requested it. The questionnaire expires after 24 hours by default, and during that time the responses are processed every 5 minutes. These settings can be edited via the task that sends the questionnaire and the loop settings of the Continuously Process Survey Responses playbook, respectively.
Endace Search Archive and Download	Deprecated. No available replacement. This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.
Endace Search Archive Download PCAP	Deprecated. This playbook has been deprecated. Use Endace Search Archive Download\ \ PCAP v2 instead. This playbook uses Endace APIs to search, archive and download\ \ PCAP file from either a single EndaceProbe or many via the InvestigationManager.\ \ The workflow accepts inputs like “the date and time of the incident or a\ \ timeframe”, “source or destination IP address of the incident”, “source or destination\ \ IP port of the incident”, “protocol of the incident” and name of archive file.\ \ \nThe Workflow in this playbook - \n1. Finds the packet history related to the\ \ search items. Multiple Search Items in an argument field are OR'd. Search Items\ \ between multiple arguments are AND'd. \n2. A successful Search is followed by\ \ an auto archival process of matching packets on EndaceProbe which can be accessed\ \ from an investigation link on the Evidence Board and/or War Room board that can\ \ be used to start forensic analysis of the packets history on EndaceProbe.\n3.\ \ Finally Download the archived PCAP file to XSOAR system provided the file size\ \ is less than a user defined threshold say 10MB. Files greater than 10MB can be\ \ accessed or analyzed on EndaceProbe via \"Download PCAP link\" or \"Endace PivotToVision\ \ link\" displayed on Evidence Board.\n
Endace Search Archive Download PCAP v2	This playbook uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager. The workflow accepts inputs like “the date and time of the incident or a timeframe”, “source or destination IP address of the incident”, “source or destination IP port of the incident”, “protocol of the incident” and name of archive file. Required Inputs - Either timeframe or start and timeframe or end and timeframe or start and end fields. Either src_host_list or dest_host_list or ip fields. Either src_port_list or dest_port_list or port fields. archive_filename field is required delete_archive field is required download_threshold field is required The Workflow in this playbook : 1. Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd. 2. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe. 3. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.
Endpoint data collection	Deprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available.
Endpoint Enrichment - Cylance Protect v2	Enriches endpoints using the Cylance Protect v2 integration.
Endpoint Enrichment - Generic	Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an Endpoint Hostname using one or more integrations
Endpoint Enrichment - Generic v2	Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an endpoint by hostname using one or more integrations. Currently, the following integrations are supported: - Active Directory - McAfee ePolicy Orchestrator - Carbon Black Enterprise Response - Cylance Protect - CrowdStrike Falcon Host
Endpoint Enrichment - Generic v2.1	Enrich an endpoint by hostname using one or more integrations. Supported integrations: - Active Directory Query v2 - McAfee ePolicy Orchestrator - Carbon Black Enterprise Response v2 - Cylance Protect v2 - CrowdStrike Falcon Host - ExtraHop Reveal(x) - Endpoint reputation using !endpoint command
Endpoint Enrichment By EntityId - XM Cyber	Enrich an endpoint by entityId using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By Hostname - XM Cyber	Enrich an endpoint by hostname using XM Cyber integration. Outputs include affected assets, affected entities, complexity of compromise, and more
Endpoint Enrichment By IP - XM Cyber	Enrich IP addresses using XM Cyber integration. - Resolve IP address to entity - Get entity information for IP addresses regarding impact on critical assets and complexity of compromise
Endpoint initiated uncommon remote scheduled task creation	This playbook handles "Uncommon remote scheduled task creation" alert, which is generated on the source host that created the remote scheduled task. Playbook Stages: Analysis: - The playbook verifies whether the causality process is signed and prevalent. If the process is not signed and not prevalent, it proceeds with remediation actions; otherwise, it continues investigating the alert. Investigation: During the alert investigation, the playbook will perform the following: - Searches for related Cortex XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services. - Searches for related Cortex XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern. - Searches for suspicious command-line parameters indicating a malicious scheduled task. Remediation: - Automatically disable the malicious scheduled task on the remote host. - Automatically terminate the causality process. - Automatically close the alert.
Endpoint Investigation Plan	This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the incident: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Endpoint Malware Investigation - Generic	Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook is triggered by a malware incident from an 'Endpoint' type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. Used sub-playbooks: - Endpoint Enrichment - Generic v2.1 - Retrieve File from Endpoint - Generic - Detonate File - Generic - File Enrichment - Generic v2 - Calculate Severity - Generic v2 - Isolate Endpoint - Generic - Block Indicators - Generic v2
Endpoint Malware Investigation - Generic V2	Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type. To use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs.
Enrich DXL with ATD verdict	Deprecated. Use "Enrich DXL with ATD verdict v2" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL. Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich DXL with ATD verdict v2	Uses McAfee ATD to push any malicious verdicts over DXL. Detonates a file in ATD and if malicious, pushes its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich Incident With Asset Details - RiskIQ Digital Footprint	Enriches the incident with asset details, and enriches the asset with the incident URL on the RiskIQ Digital Footprint platform. This playbook also sends an email containing the owner's information to the primary or secondary contact of the asset and provides the user with an opportunity to update or remove the asset. Supported integration: - RiskIQ Digital Footprint
Enrich McAfee DXL using 3rd party sandbox	Deprecated. Use "Enrich McAfee DXL using 3rd party sandbox v2" playbook instead. Example of bridging DXL to a third party sandbox. Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich McAfee DXL using 3rd party sandbox v2	Example of bridging DXL to a third party sandbox. Detonate a file in 3rd party sandbox and if malicious, push its MD5, SHA1 and SHA256 hashes to McAfee DXL.
Enrich ThinkstCanary Events	Enrich events that are received as part of a ThinkstCanary incident.
Enrichment for Verdict	This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict.
Entity Enrichment - Generic	Deprecated. Use "Entity Enrichment - Generic v3" playbook instead. Enrich entities using one or more integrations
Entity Enrichment - Generic v2	Enrich entities using one or more integrations
Entity Enrichment - Generic v3	Enrich entities using one or more integrations.
Entity Enrichment - Generic v4	Enrich entities using one or more integrations.
Entity Enrichment - Phishing v2	Enrich entities using one or more integrations
Eradication Plan	This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks: Eradication Plan - Reset user password Eradication Plan - Delete file * Eradication Plan - Kill process (currently, the playbook supports terminating a process by name) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
Eradication Plan - Delete File	This playbook is one of the sub-playbooks in the eradication plan. This playbook executes actions of file deletion, which is a crucial step in the eradication process.
Eradication Plan - Reset Password	This playbook is one of the sub-playbooks in the eradication plan. The playbook executes actions to reset the user's passwords, which is a crucial step in the eradication process.
Eradication Plan - Terminate Process	This playbook is one of the sub-playbooks in the eradication plan. This playbook handles the termination of the processes as a crucial step in the eradication action. The playbook executes actions of process termination, which is a crucial step in the eradication process. The process termination can be performed based on either the process ID or the process name.
Event Log Was Cleared	This playbook is designed to handle the following alerts: - Windows Event Log was cleared using wevtutil.exe - Security Event Log was cleared using wevtutil.exe - A Sensitive Windows Event Log was cleared using wevtutil.exe - Windows event logs were cleared with PowerShell - Suspicious clear or delete security provider event logs with PowerShell - Suspicious clear or delete default providers event logs with PowerShell - Windows event logs cleared using wmic.exe The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: - Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. - Whether the CGO or the OSParent process is unsigned. - The prevalence of the OSParent process. Remediation: - Handles malicious alerts by terminating the relevant processes. - Handles non-malicious alerts identified during the investigation.
Example-Delinea-Folder Operations	Example for usage integration REST API Folder object for Delinea Secret Server.
Example-Delinea-Retrieved Username and Password	Example for usage integration REST API for Delinea Secret Server. Methods retrieved username and password form secret.
Example-Delinea-Secret Object Operations	Example for usage integration REST API Secret object for Delinea Secret Server.
Example-Delinea-User object operations	Example for usage integration REST API User object for Delinea Secret Server.
Excessive User Account Lockouts	This playbook addresses the following alerts: - Excessive user account lockouts - Excessive account lockouts on suspicious users - Excessive user account lockouts from a suspicious source The playbook investigates and responds to excessive user account lockout alerts. It gathers information about the alert, enriches relevant host data, and analyzes event patterns. This analysis helps distinguish between benign lockouts and lockouts caused by brute-force or password spray attacks. Playbook Stages: Triage: - The playbook enriches the alert with details about the lockout events. Investigation: - Analyzes the lockout event timestamps to detect patterns. - Checks for related medium severity brute-force alerts in the <-incident->. - Retrieves the Risk Score for the Caller Computer that caused the lockouts. Containment: - With analyst approval, the playbook can isolate the endpoint (either the Caller Computer or the target host) if it's determined to be a true positive and not a server. Requirements: - For response actions, the following integration is required: Core - IR.
Exchange 2016 Search and Delete	Run a compliance search in Exchange Server 2016, and delete the results.
Exchange forwarding rule configured	This playbook addresses the following alerts: - External Exchange inbox forwarding rule configured. - Suspicious Exchange inbox forwarding rule configured. - Suspicious Exchange email-hiding inbox rule. - Possible BEC Exchange email-hiding inbox rule. - Exchange email-hiding transport rule based on message keywords. - Suspicious Exchange email-hiding transport rule. - Exchange transport forwarding rule configured. - Suspicious Exchange transport forwarding rule configured. Playbook Stages: Triage: - The playbook retrieves the caller's IP, the forwarding email address, and the domain. Early Containment: - The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel. Investigation: - The playbook checks for suspicious behaviors, including whether an Exchange admin created the rule outside of working hours, from unusual geolocation, or if the user who created the rule has a high-risk score. It then aggregates all evidence collected during the investigation. Containment: - Soft Response Actions: If at least two suspicious pieces of evidence are identified, the playbook will execute soft response actions. These actions include signing the user out and disabling the forwarding rule configured in the user's account mailbox. - Hard Response Actions: If more than two suspicious pieces of evidence are identified, the playbook escalates to hard response actions. These actions include disabling the user account upon analyst decision and removing the forwarding rule from the user's account mailbox. Requirements: For any response action, you need the following integrations: - EWS Extension Online Powershell v3 integration. - Azure Active Directory Users.
Exchange User Mailbox Forwarding	This playbook addresses the following alerts: - Exchange user mailbox forwarding. - Suspicious Exchange user mailbox forwarding. Playbook Stages: Triage: - Collect initial information about the internal user and the associated external forwarding address. Investigation: - Check IOCs Reputation: - Analyze the reputation of IP addresses, email addresses, and domains associated with the alert. - Get External Email Statistics: - Retrieve statistics of email interactions between the internal user and the external forwarding address over the last 2 days, including: - Number of emails sent to and received from the external address. - Number of users interacting with the external address. - Check if User is Risky: - Assess the internal user's risk score using: - Core Risk Evaluation: Identify high-risk users and extract reasons behind elevated risk levels. - Azure Risk Indicators: Retrieve Azure risk scores, detections, and recent security alerts for the internal user. - Check for Azure Alerts: - Perform an advanced hunting query in Microsoft 365 Defender to extract recent Azure alerts associated with the internal user. Containment: - Provide a manual task for an analyst to review the findings and determine the appropriate response. - Possible actions: - Disable the user in Azure AD to prevent further unauthorized actions. - Disable mailbox forwarding for the user in Exchange Online. - Disable both user and forwarding. - Take no action. - If the user is disabled, revoke active sessions to ensure immediate containment. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - `Cortex Core - Investigation and Response` for Core user risk evaluation. - `Azure Risky Users` for retrieving Azure-based user risk scores and detections. - `Microsoft 365 Defender` for advanced hunting queries and extracting Azure alerts. - `Microsoft Graph User` for disabling user accounts and revoking active sessions. - `Exchange Online EWS` for disabling mailbox forwarding. - `Security And Compliance V2` for fetching email interaction statistics.
Execution of an uncommon process at an early startup stage	This playbook is designed to handle the following alerts: - Execution of an uncommon process at an early startup stage with suspicious characteristics. - Execution of an uncommon process with a local/domain user SID at an early startup stage with suspicious characteristics. Playbook Stages: Analysis: - Checks the process's reputation. Investigation: - Searches for related Cortex XSIAM alerts to identify potential attack patterns with persistence mechanisms. - Checks for any suspicious parameters in the command line (if the command line risk score is medium or higher). - Checks the Action process prevalence. Verdict: If the playbook detects that the Action process is globally prevalent and the other conditions in the investigation stage do not match, it closes the alert as a False Positive. If the playbook detects that any of the following conditions are met: - The process reputation is malicious. - Related alerts were found. - The command line risk score is medium or higher. The playbook proceeds with remediation actions. Otherwise, it presents the investigation data to the analyst for decision-making on the appropriate action. Remediation: - Terminate the malicious process. - Quarantine the malicious process. (Requires analyst approval.) - Add the malicious process hash to the block list. (Requires analyst approval.) - Automatically close the alert.
Expanse Attribution	Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain, Issue Port and Issue Protocol hunts for internal activity related to the detected service. The playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB. Returns a list of potential owner BUs, owner Users, Device and Notes.
Expanse Behavior Severity Update	Deprecated. Use Xpanse Incident Handling - Generic instead.
Expanse Enrich Cloud Assets	Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. This Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by: - Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled). - Searching IPs and FQDNs in Prisma Cloud inventory (requires Prisma Cloud).
Expanse Find Cloud IP Address Region and Service	Deprecated. No available replacement. > Sub-playbook for Expanse Enrich Cloud Assets sub-playbook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud feeds (i.e. AWS Feed) in XSOAR. CIDR Indicators must be tagged properly using the corresponding tags (i.e. AWS for AWS Feed): tags can be configured in the Feed Integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e. smaller CIDR such as /20 range wins over a bigger one such as /16).
Expanse Load-Create List	Deprecated. No available replacement. Sub-playbook to support Expanse Handle Incident playbook. Loads a list to be used in the Expanse playbook. Creates the list if it does not exist.
Expanse Unmanaged Cloud	Deprecated. No available replacement. Subplaybook for bringing rogue cloud accounts under management.
Expanse VM Enrich	Deprecated. No available replacement. This Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by: - Searching the IP and / or domain of the identified Expanse asset in the vulnerability management tool This playbook expects an incident with an IP or a Domain to exist in the context.
Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration	This playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to ServiceNow.
Export Single Asset to SIEM - PANW IoT 3rd Party Integration	This playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to your SIEM.
Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration	This playbook to handles incidents triggered in the PANW IoT (Zingbox) UI by sending the vulnerability to ServiceNow.
External Login Password Spray	This playbook is designed to handle the following alerts: - External Login Password Spray - Successful External Login Password Spray - External Login Password Spray on a Domain Controller - External Login Password Spray Involving a Honey User - Successful External Login Password Spray on a Domain Controller - Successful External Login Password Spray on a sensitive server The playbook is designed to investigate and respond to external login password sprays. It enriches the external IP to enable early containment, retrieves event information, and determines how the attack was carried out and whether it was successful. Playbook Stages: Early Containment: - With analyst approval, the playbook will block the malicious external IP address involved in the password spray attack, limiting the attacker's ability to continue their actions. Investigation: - The playbook analyzes the timestamps of the login attempts to detect patterns, checks whether any logons were successful, and retrieves the Risk Score for users who successfully logged in as part of the attack. Containment: - Based on the user’s risk level, the playbook will expire the user’s password to prevent further unauthorized access and terminate any active RDP sessions for the affected user. Requirements: - For response actions, the following integrations are required: Active Directory (AD), PAN-OS, Core - IR.
Extract and Create Relationships	Extract and enrich indicators
Extract and Enrich Expanse Indicators	Deprecated. No available replacement. Subplaybook for Handle Expanse Incident playbooks. Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents. Enrichment is performed via enrichIndicators command and generic playbooks. Returns the enriched indicators.
Extract Indicators - Generic	Deprecated. We recommend using extractIndicators command instead. Extract indicators from input data.
Extract Indicators From File - Generic	Deprecated. Use the "Extract Indicators From File - Generic v2" playbook instead.\ \ Extracts indicators from a file. Supported file types: - PDF - TXT - HTM, HTML - DOC, DOCX
Extract Indicators From File - Generic v2	This playbook extracts indicators from a file. Supported file types: - CSV - PDF - TXT - HTM, HTML - DOC, DOCX - PPT - PPTX - RTF - XLS - XLSX - XML - XLSM - DOCM - PPTM - DOTM - XLSB - DOT - PPSM - PNG - JPG/JPEG - GIF (when Image OCR is enabled). In addition, the playbook supports QR codes. The playbook does not support encrypted / password-protected files such as XLSB. Such files will be skipped.
ExtraHop - CVE-2019-0708 (BlueKeep)	This server received a Remote Desktop Protocol (RDP) connection request that is consistent with a known vulnerability, also known as BlueKeep, in older versions of Microsoft Windows. This vulnerability allows an unauthenticated attacker to remotely run arbitrary code on an RDP server. The attacker can then tamper with data or install malware that could propagate to other Windows devices across the network. Investigate to determine if this server is hosting a version affected by CVE-2019-0708: Windows 7, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. MITIGATION OPTIONS - Disable Remote Desktop Services if they are not required - Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2 - Configure firewalls to block traffic on TCP port 3389
ExtraHop - Default	Default playbook to run for all ExtraHop Detection incidents. This playbook handles ticket tracking as well as triggering specific playbooks based on the name of the ExtraHop Detection.
ExtraHop - Get Peers by Host	Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
ExtraHop - Ticket Tracking	Deprecated. Use the "ExtraHop - Ticket Tracking v2" playbook instead.\ \ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.
ExtraHop - Ticket Tracking v2	Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.
Failed Login Playbook - Slack v2	Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.
Fetch All Violations - Securonix	Gets a list of violations with pagination using queryId parameter.
Fetch Violations - Securonix	Gets a list of violation data.
Field Polling - Generic	This playbook polls a field to check if a specific value exists.
Fighting Ursa Luring Targets With Car For Sale	A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT). Diplomatic-car-for-sale phishing lure themes have been used by Russian threat actors for years. These lures tend to resonate with diplomats and get targets to click on the malicious content. Unit 42 has previously observed other threat groups using this tactic. For example, in 2023, a different Russian threat group, Cloaked Ursa, repurposed an advertisement for a BMW for sale to target diplomatic missions within Ukraine. This campaign is not directly connected to the Fighting Ursa campaign described here. However, the similarity in tactics points to known behaviors of Fighting Ursa. The Fighting Ursa group is known for repurposing successful tactics – even continuously exploiting known vulnerabilities for 20 months after their cover was already blown. The details of the March 2024 campaign, which we attribute to Fighting Ursa with a medium to high level of confidence, indicate the group targeted diplomats and relied on public and free services to host various stages of the attack. This article examines the infection chain from the attack. Palo Alto Networks customers are better protected from the threats discussed in this article through our Network Security solutions, such as Advanced WildFire and Advanced URL Filtering, as well as our Cortex line of products. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
File Analysis - ReversingLabs A1000	Upload sample to ReversingLabs A1000 appliance and automatically retrieve full & classification reports. Calculate final classification.
File Enrichment - File reputation	Get file reputation using one or more integrations
File Enrichment - Generic	Deprecated. Use "File Enrichment - Generic v2" playbook instead. Enrich a file using one or more integrations. File enrichment includes: File history Threat information * File reputation
File Enrichment - Generic v2	Enrich a file using one or more integrations. - Provide threat information - Determine file reputation using the !file command
File Enrichment - RST Threat Feed	Enrich File hashes using RST Threat Feed integrations
File Enrichment - Virus Total (API v3)	Get file information using the Virus Total API integration.
File Enrichment - Virus Total Private API	Deprecated. Use the "File Enrichment - Virus Total v3" playbook instead.
File Enrichment - VMRay	Get file information using the VMRay integration.
File Reputation	This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components: VirusTotal detection rate Digital certificate signers * NSRL DB Note: a user can provide a list of trusted signers of his own using the playbook inputs
File Reputation - ReversingLabs TitaniumCloud	Provides file reputation data for a file (malicious, suspicious, known good or unknown). Required TitaniumCloud API rights: TCA-0101
FireEye ETP - Indicators Hunting	This playbook queries FireEye Email Threat Prevention (ETP) for indicators such as domains, IP addresses, sender and recipient email addresses. Separate searches are conducted for each type of indicator in the playbook. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye Helix Archive Search	Create an archive search in FireEye Helix, and fetch the results as events.
FireEye HX - Execution Flow Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for execution flow indicators, including processes name, registry keys, registry values, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - File Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file paths, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within FireEye Endpoint Security (HX) utilizing three sub-playbooks. The sub-playbooks query FireEye HX for different indicators including files, traffic, and execution flow indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: - MD5 - SHA1 - SHA256 - IP Address - URLDomain - Registry Value - Registry Key - File Name - Process Name - Port Number - File Path - FileType
FireEye HX - Isolate Endpoint	This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook.
FireEye HX - Traffic Indicators Hunting	This playbook queries FireEye Endpoint Security (HX) for traffic indicators, including IP addresses, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters).
FireEye HX - Unisolate Endpoint	This playbook unisolates endpoints according to the hostname/endpoint ID that is provided by the playbook input.
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. - Retrieve IOCs of FireEye red team tools. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators - Search endpoints with the FireEye red team tools CVEs. - Search endpoint logs for FireEye red team tools hashes. - Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
FireMon Create Policy Planner Ticket	Creates a new Policy Planner Ticket for PolicyPlanner in FMOS box.
FireMon Pre Change Assessment	Validates and Return Pre Changes Assessment on Rules added as Requirement.
First Azure AD PowerShell operation for a user	This playbook addresses the following alert: - First Azure AD PowerShell operation for a user Playbook Stages: Triage: - Gather initial information about the user. - Check IP Reputation. - Check the User Agent. Investigation: - Check for Azure Alerts: - Extract recent Azure security alerts for the user. - Check if User is Risky: - Assess the user's risk score based on Core and Azure risk indicators. - Investigate reasons behind any identified risks, including recent detections. - Investigate user data: - Check the user creation date to asses if the user is new. - Check the role of the user. Containment: - The playbook checks if soft remediation is needed, if yes, it will check if the integration "Microsoft Graph User" is enabled, the playbook will revoke the sessions of the user. - The playbook checks if hard remediation is needed, if yes, a manual task will be displayed for an analyst to review the findings and decide the next steps. - Possible actions: - Disable the user. - Take no action. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - `Cortex Core - Investigation and Response` for Core user risk evaluation. - `Azure Risky Users` for retrieving user risk scores. - `Microsoft 365 Defender` for advanced hunting queries and Azure security alerts. - `Microsoft Graph User` is used to disable user and revoke session.
Forensics Tools Analysis	This playbook allows the user to analyze forensic evidence acquired from a host, such as registry files and PCAP files.
FortiSandbox - Loop for Job Submissions	Playbook used to retrieve job id for submissions of fortisandbox using. Deprecated. Use `fortisandbox-submission-file-upload` instead. the submission id.
FortiSandbox - Loop For Job Verdict	Playbook used to retrieve the verdict for a specific job id for a sample. Deprecated. Use `fortisandbox-submission-file-upload` instead. submitted to FortiSandbox
FortiSandbox - Upload Multiple Files	Playbook used to upload files to FortiSandbox. Deprecated. Use `fortisandbox-submission-file-upload` instead.
Function Deployment - AWS	This playbook automates the deployment of an AWS Lambda function to manage resources within an Amazon EKS cluster. It ensures that all necessary configurations are created, updated, and verified. ### Setup - Describe EKS Cluster: Gather essential details of the EKS cluster. - Create IAM Role: Set up a new IAM role for the Lambda function. - Create and Attach Policy: Define and attach a policy to the IAM role to grant necessary permissions. ### Authentication Mode Check - Verify Authentication Mode: Ensure the current authentication mode allows API access. - If not: Update the cluster authentication mode to permit API access. ### Access Entry Configuration - Create Access Entry: Establish a new access entry in the EKS cluster. - Associate Access Policy: Link the access policy with the created access entry. - Update Access Entry: Apply the latest configurations to the access entry. ### VPC and Security Group Setup - Describe VPCs: Identify the appropriate VPC for the Lambda function. - Create Security Group: Define a security group to manage Lambda function traffic. - Set Ingress Rules: Configure ingress rules for the security group. ### VPC Endpoint Creation - Create VPC Endpoint for eks-auth: Establish a VPC endpoint for EKS authentication. - Check for Errors: Verify if there are any errors during the creation of the VPC endpoint. - If errors: Handle and log them. - Verify VPC Endpoint Existence: Ensure the VPC endpoint already exists. - If exists: Proceed with the next steps. ### Lambda Function Deployment - Download Kubernetes Library: Fetch the necessary Kubernetes library. - Publish AWS Lambda Layer: Publish a new layer version for the AWS Lambda function. - Create Lambda Code: Develop the Lambda function code. - Zip Lambda Code: Compress the Lambda function code for deployment. - Create AWS Lambda Function: Deploy the Lambda function using the zipped code. ### Resolution - Final Verification: Ensure all operations have been successfully completed. - Completion: Confirm the deployment process is finished, ensuring robust management of EKS authentication through AWS Lambda. This playbook provides a comprehensive, automated approach to deploying an AWS Lambda function for managing resources within an EKS cluster, efficiently handling all configurations and potential errors. ### Required Integration #### AWS IAM (Identity and Access Management) - AWS IAM API Documentation - Cortex XSOAR AWS IAM Integration #### AWS EC2 (Elastic Compute Cloud) - AWS EC2 API Documentation - Cortex XSOAR AWS EC2 Integration #### AWS EKS (Elastic Kubernetes Service) - AWS EKS API Documentation - Cortex XSOAR AWS EKS Integration #### AWS Lambda - AWS Lambda API Documentation - Cortex XSOAR AWS Lambda Integration.
Function Removal - AWS	This playbook automates the removal of an AWS Lambda function and its associated resources used for managing resources within an Amazon EKS cluster. It ensures all related roles, policies, and security configurations are properly detached and deleted. ### Resource Detachment and Deletion - Get the Lambda Role: Retrieve the IAM role associated with the Lambda function. - Detach Policy from Lambda Role: Remove the policy attached to the Lambda role. - Delete IAM Role: Delete the IAM role that was used for the Lambda function. - Delete Lambda Policy: Remove the policy specifically created for the Lambda function. - Delete Security Group: Delete the security group that was managing the Lambda function's traffic. ### Access Entry Check - Check if Access Entry was Created: Verify if the access entry for the EKS cluster was created. - If YES: Proceed to delete additional resources. - If NO: Skip the deletion of additional resources. ### Additional Resource Deletion - Delete Kubernetes Layer: Remove the Kubernetes layer that was used by the Lambda function. - Delete Lambda Function: Delete the Lambda function itself, ensuring all related code and configurations are removed. ### Resolution - Final Cleanup: Ensure all specified resources have been deleted successfully. - Completion: Confirm that the removal process is complete, providing a clean environment free from the previously deployed Lambda function and its configurations. This playbook provides a comprehensive, automated approach to removing an AWS Lambda function and its related resources, ensuring all configurations and dependencies are properly managed and deleted. ### Required Integration #### AWS IAM (Identity and Access Management) - AWS IAM API Documentation - Cortex XSOAR AWS IAM Integration #### AWS EC2 (Elastic Compute Cloud) - AWS EC2 API Documentation - Cortex XSOAR AWS EC2 Integration #### AWS Lambda - AWS Lambda API Documentation - Cortex XSOAR AWS Lambda Integration.
GCP - Enrichment	Given the IP address this playbook enriches GCP and Firewall information.
GCP - Firewall Remediation	This playbook adds new firewall rules with access only from private ip address range and blocks traffic that's exposed to public internet. For example, if RDP is exposed to the entire world, this playbook adds new firewall rules that only allows traffic from private ip address and blocks rest of the RDP traffic.
GCP - User Investigation	This playbook performs an investigation on a specific user in GCP environments, using queries and logs from G Suite Auditor, and GCP Logging to locate the following activities performed by the user: - Failed login attempt - Suspicious API usage by the user - Anomalous network traffic by the user - Unusual and suspicious login attempt - User's password leaked
GDPR Breach Notification	This playbook triggers by a GDPR breach incident, and then performs the required tasks that are detailed in GDPR Article 33. The General Data Protection Regulation (the GDPR) is a regulation in EU law on data protection and privacy of individuals. The GDPR introduces the requirement for a personal data breach to be notified to the competent national supervisory authority and in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. ***Disclaimer: This playbook does not ensure compliance to the GDPR regulation. Before using this playbook, we advise consulting with the relevant authority, and adjusting it to the organization's needs.
Gem Handle Alert for Root Usage	Find all the users who might’ve performed the actions using root (via the source IP), validate it with them using Slack and resolve the alert in case these actions were planned.
Gem Handle ec2	Gem playbook to handle an alert involving an ec2 instance.
Gem Validate triggering event	Get the triggering events of a Gem Alert and send a validation Slack message to the dev team. The response will be added to the Gem Timeline.
GenericPolling	Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: 1. Initiate the operation. 2. Poll to check if the operation completed. 3. (optional) Get the results of the operation. NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option.
GenericPolling-FortiSIEM	This playbook executes a search query to retrieve FortiSIEM Events.
Get Cloud Account Owner - Generic	Retrieves the owners of a cloud account based on account ID. Current supported platforms: - GCP - Prisma Cloud.
Get Code42 Employee Information	Receives usernames from a Code42 Incydr alert and queries Active Directory for employee and supervisor information, if applicable.
Get Email From Email Gateway - FireEye	This playbook retrieves a specified EML/MSG file directly from FireEye Email Security or Central Management.
Get Email From Email Gateway - Generic	This playbook retrieves a specified EML/MSG file directly from the email security gateway product.
Get Email From Email Gateway - Mimecast	This playbook retrieves a specified EML/MSG file directly from Mimecast.
Get Email From Email Gateway - Proofpoint Protection Server	This playbook retrieves a specified EML/MSG file directly from the Proofpoint Protection Server.
Get endpoint details - Generic	Deprecated. Use the `Endpoint Enrichment - Generic v2.1` playbook instead. This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: - Palo Alto Networks Cortex XDR - Investigation and Response. - CrowdStrike Falcon.
Get entity alerts by MITRE tactics	This playbook searches XDR alerts related to specific entities, on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.
Get File Sample - Generic	Retrieves files from endpoints by the file hash or the file path.
Get File Sample By Hash - Carbon Black Enterprise Response	Returns to the war-room a file sample correlating to MD5 hashes in the input using Carbon Black Enterprise Response integration
Get File Sample By Hash - Cylance Protect	Deprecated. Use "Get File Sample By Hash - Cylance Protect v2" playbook instead.
Get File Sample By Hash - Cylance Protect v2	This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration.
Get File Sample By Hash - Generic	Deprecated. Use "Get File Sample By Hash - Generic v2" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products
Get File Sample By Hash - Generic v2	Deprecated. Use `Get File Sample By Hash - Generic v3` instead. This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: - Get File Sample By Hash - Carbon Black Enterprise Response - Get File Sample By Hash - Cylance Protect v2
Get File Sample By Hash - Generic v3	This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: - Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. - Get the threat (file) associated with a specific SHA256 hash - Cylance Protect v2. - Get the file associated with a specific MD5 or SHA256 hash - Code42.
Get File Sample From Path - Carbon Black Enterprise Response	Returns a file sample to the war-room from a path on an endpoint using Carbon Black Enterprise Response
Get File Sample From Path - D2	Returns a file sample to the war-room from a path on an endpoint using Demisto Dissolvable Agent (D2) Input: Credentials - credentials to use when trying to deploy Demisto Dissolvable Agent (D2) (default: Admin) ${Endpoint.Hostname} - deploy agent on target endpoint * ${File.Path} - file's path to collect
Get File Sample From Path - Generic	Deprecated. Use `Get File Sample From Path - Generic V3` instead. Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: * UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Get File Sample From Path - Generic V2	Deprecated. Use `Get File Sample From Path - Generic V3` instead. This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Get File Sample From Path - Generic V3	This playbook returns a file sample from a specified path and host that you input in the following playbooks: - PS Remote Get File Sample From Path - Get File Sample From Path - VMware Carbon Black EDR (Live Response API) - CrowdStrike Falcon - Retrieve File - MDE - Retrieve File - Cortex XDR - Retrieve File V2
Get File Sample From Path - VMware Carbon Black EDR - Live Response API	This playbook retrieves a file from a path on an endpoint using VMware Carbon Black EDR (Live Response API). Make sure to provide the Carbon Black sensor ID of the endpoint from which you want to retrieve the file.
Get host forensics - Generic	This playbook retrieves forensics from hosts for the following integrations: - Illusive Networks - Microsoft Defender For Endpoint.
Get Original Email - EWS	This playbook retrieves the original email in a thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. Note: You must have the necessary eDiscovery permissions in the EWS integration to execute a global search.
Get Original Email - EWS v2	This v2 playbook retrieves the original email in a thread as an EML file (and not an email object as in the previous version) by using the EWS v2 or EWSO365 integration. It also reduces the number of tasks to perform the fetch action. Note: You must have the necessary eDiscovery permissions in the EWS integration to execute a global search.
Get Original Email - Generic	Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead.
Get Original Email - Generic v2	This v2 playbook is used inside the phishing flow. The inputs in this version do not use labels and also allow the user to supply an email brand. Note: You must have the necessary permissions in your email service to execute a global search. To retrieve the email files directly from the email service providers, use one of the provided inputs (Agari Phishing Defense customers should also use the following): - EWS: eDiscovery - Gmail: Google Apps Domain-Wide Delegation of Authority - MSGraph: As described in the message-get API and the user-list-messages API - EmailSecurityGateway retrieves EML files from: FireEye EX FireEye CM Proofpoint Protection Server Mimecast
Get Original Email - Gmail	Deprecated. Use GetOriginal_Email-_Gmail_v2 instead. Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority
Get Original Email - Gmail v2	This v2 playbook uses the reporter's email headers to retrieve the original email. This decreases the number of tasks to retrieve the original email. Use this playbook to retrieve the original email using the Gmail integration, including headers and attachments. Note: You must have the necessary Google Apps Domain-Wide Delegation of Authority permissions in your Gmail service to execute global search.
Get Original Email - Microsoft Graph Mail	This playbook retrieves the original email using the Microsoft Graph Mail integration. Note: You must have the necessary permissions in the Microsoft Graph Mail integration as described in the message-get API and the user-list-messages API
Get prevalence for IOCs	The playbook queries the analytics module to receive the prevalence of an IOC. Supported IOC: - Process by SHA256 - Process by file name - IP - Domain - CMD - Registry (require key and value)
Get RaDark Detailed Items	Enriches RaDark incident with detailed items.
Get the binary file from Carbon Black by its MD5 hash	This playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data.
Get User Devices - Generic	This playbook retrieves information on all of the associated user devices. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: - Name - Serial Number - ID - Model - MAC Address - OS - Integration Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions: - Get User Devices by Username - Generic - Get User Devices by Email Address - Generic
Get User Devices by Email Address - Generic	This playbook retrieves information on all of the associated user devices, based on the user email. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: - Name - Serial Number - ID - Model - MAC Address - OS - Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: - jamf v2 - Google Workspace (Gsuite) - ServiceNow v2 - Active Directory Query v2 - Microsoft Graph API (In order to get devices details, provide the permissions as mentioned here: https://learn.microsoft.com/en-us/graph/api/user-list-owneddevices?view=graph-rest-1.0&tabs=http )
Get User Devices by Username - Generic	This playbook retrieves information on all of the associated user devices, based on the user's username. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: - Name - Serial Number - ID - Model - MAC Address - OS - Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: - jamf v2 - Microsoft Defender for Endpoint - Cortex XDR IR - ServiceNow v2 - Google Workspace (Gsuite) - Active Directory Query v2.
Gitlab - Guest user permission change	This playbook investigates a "User Permissions Changed” alert by gathering user and IP information and performs remediation based on the information gathered and received from the user. To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = Gitlab - Permission change from guest to owner Used Sub-playbooks: Enrichment for Verdict Block IP - Generic v3 * Block Account - Generic v2
Google Dorking File Processing	This playbook processes files fetched by the Google Dorking integration. The SOC will track the file owner and classify the exposed data and users in order to contained the leaked data.
Google Vault - Display Results	This is a playbook for queuing and displaying vault search result
Google Vault - Search Drive	This is a playbook for performing Google Vault search in Drive accounts and display the results.
Google Vault - Search Groups	This is a playbook for performing Google Vault search in Groups and display the results.
Google Vault - Search Mail	This is a playbook for performing Google Vault search in Mail accounts and display the results.
GRACase	Playbook for fetching cases assosiated to high risk users.
HackerView Incident Management	This playbook runs the incidents through indicator enrichment, then based on the mirroring settings, it can communicate with the remote server to track the progress of the investigation.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Handle Expanse Incident	Deprecated. No available replacement. Main Playbook to Handle Expanse Incidents. There are several phases: 1. Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: - Firewall logs from Strata Logging Service, Panorama, and Splunk. - User information from Active Directory. - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and service (i.e., us-west-1 on AWS EC2). - IP and FQDN from Prisma Cloud inventory. 3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the company). 4. Attribution: based on the information collected above, the analyst is prompted to assign this issue to an Organization Unit, which is a group within the company with a specific owner. The analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one. 5. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as: - Tagging the asset in Expanse with a specific Organization Unit tag. - Blocking the service on PAN-OS (if a firewall is deployed in front of the service). - Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it) - Adding the service to a Vulnerability Management system - Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory) - Bringing rogue cloud accounts under management
Handle Expanse Incident - Attribution Only	Deprecated. No available replacement. Shorter version of Handle Expanse Incident playbook with only the Attribution part. There are several phases: 1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched. 2. Validation: the found IP and FQDN are correlated with the information available in other products: - Firewall logs from Strata Logging Service, Panorama and Splunk - User information from Active Directory - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2) - IP and FQDN from Prisma Cloud inventory 3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company). 4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
Handle False Positive Alerts	This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.
Handle Hello World Alert	This is a playbook which will handle the alerts coming from the Hello World service
Handle Shadow IT Incident	This Playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found. This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process.
Handle TD events	Playbook to enrich TD events
Health Check - Collect Log Bundle	Collect Log bundle and parse data.
Health Check - Log Analysis Read All files	Parse files from log bundle output.
HealthCheck	New version for HealthCheck main playbook.
HelloWorld Scan	Deprecated. No available replacement.
HIPAA - Breach Notification	USA Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers organizations that use, store, or process Private Health Information (PHI). The HIPAA Breach Notification Rule requires companies that deal with health information to disclose cybersecurity breaches; the disclosure will include notification to individuals, to the media, and the Secretary of Health and Human Services. This playbook is triggered by a HIPAA breach notification incident and follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. ** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Hostname And IP Address Investigation And Remediation - Chronicle	This playbook receives ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.
Hoxhunt - Enrich Incident	Enriches the incidents pulled from Hoxhunt with additional information.
Humio QueryJob Poll	Run and poll a Humio Query Job
Hunt Extracted Hashes	Deprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\ \ files using regular expressions and then hunts for hashes on endpoints in the organization\ \ using available tools.\nThe playbook supports multiple types of attachments. For\ \ the full supported attachments list, refer to \"Extract Indicators From\ \ File - Generic v2\".
Hunt Extracted Hashes V2	This playbook extracts IOCs from the incident details and attached files using regular expressions and then hunts for hashes on endpoints in the organization using available tools. The playbook supports multiple types of attachments. For the full supported attachments list, refer to "Extract Indicators From File - Generic v2".
Hunt for bad IOCs	Deprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools.
Hunting C&C Communication Playbook	Deprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications.
Hurukai - Add indicators to HarfangLab EDR	This playbook add indicators to a HarfangLab EDR IOC source list for detection and/or blocking.
Hurukai - Alert management	Manager security events from HarfangLab EDR
Hurukai - Get All Artifacts	Build a global archive with: - MFT (Windows) - Hives (Windows) - USN logs (Windows) - Prefetch files (Windows) - EVT/EVTX files (Windows) - Log files (Linux) - Filesystem content (Linux)
Hurukai - Get Artifact Evtx	Get Evt/evtx log files
Hurukai - Get Artifact Filesystem	Get a CSV list of files in a Linux filesystem
Hurukai - Get Artifact Hives	Get the RAW hives
Hurukai - Get Artifact Logs	Get all the log files
Hurukai - Get Artifact MFT	Get the raw MFT
Hurukai - Get Artifact RAM Dump	Get a RAM dump from Windows and Linux endpoints.
Hurukai - Get Driver List	Get the list of loaded drivers
Hurukai - Get Network Connection List	Get the list of active network connections
Hurukai - Get Network Share List	Get the list of network shares
Hurukai - Get Persistence List	Get the list of persistence means
Hurukai - Get Pipe List	Get the list of named pipes
Hurukai - Get Prefetch List	Get the list of prefetch files
Hurukai - Get Process List	Get the list of processes
Hurukai - Get Runkey List	Get the list of RUN keys
Hurukai - Get Scheduled Task List	Get the list of scheduled tasks
Hurukai - Get Service List	Get the list of services
Hurukai - Get Session List	Get the list of active sessions
Hurukai - Get Startup List	Get the list of startup files
Hurukai - Get WMI List	Get the list of WMI items
Hurukai - Hunt IOCs	This playbook allows is triggered by the Hurukai - Process Indicators - Manual Review playbook. It allows to search for IOC sightings in the HarfangLab EDR and tag sighted IOCs accordingly for manual review. All IOCs are tagged in order to be further inserted into a HarfangLab EDR IOC source.
Hurukai - Process Indicators - Manual Review	This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
Hybrid-analysis quick-scan	Deprecated. No available replacement.
Identity Analytics - Alert Handling	The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following: Analysis: - Enriches the IP and the account, providing additional context and information about these indicators. Verdict: - Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: - Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: - Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP and revoking or clearing user's sessions. - Handles non-malicious alerts identified during the investigation.
Illinois - Breach Notification	This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to Illinois law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Source: http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
Illusive - Data Enrichment	This playbook is used for automatic enrichment of incidents in the organization network, with Illusive's set of forensics and data
Illusive - Incident Escalation	This playbook is used for creating an automatic analysis of the Illusive's incident details, in order to end up with a certain score or a set of insights that will enable automatic decisions and actions.
Illusive-Collect-Forensics-On-Demand	This playbook is used to collect forensics on-demand on any compromised host and retrieve the forensics timeline upon successful collection.
Illusive-Retrieve-Incident	This playbook is used for retrieving an extensive view over a detected incident by retrieving the incident details and a forensics timeline if and when forensics have been successfully collected.
Impossible Traveler	This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts. The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.
Impossible Traveler - Enrichment	This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following: Geo location Active Directory * IP enrichment e.g. VirusTotal, AbuseIPDB, etc.
Impossible Traveler Response	This playbook handles impossible traveler alerts. An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised. Attacker's Goals: Gain user-account credentials. Investigative Actions: Investigate the IP addresses and identities involved in the detected activity using: Impossible Traveler - Enrichment playbook CalculateGeoDistance automation Response Actions The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute: Manual block indicators if the IP address found malicious Manual disable user Manual clear of the user’s sessions (Okta) When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes: Auto block indicators External Resources: Impossible traveler alert
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.
Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration	Playbook to be run every 15 minutes via a job. Each run will get incremental updates for devices to send to ServiceNow server.
Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration	Playbook to be run every 15 minutes via a job. Each run will get incremental updates for devices, and will update or create new endpoints in Cisco ISE with PANW IOT discovered attributes (ISE custom attributes).
Incremental Export to SIEM - PANW IoT 3rd Party Integration	This playbook should be run as a job at an interval of every 15 minutes. Each run will get incremental updates for devices, alerts, and vulnerabilities and send CEF syslogs to the configured SIEM server.
Indicator Enrichment - Qintel	Enriches indicators from Qintel products
Indicator Pivoting - DomainTools Iris	Pivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address.
Indicator Registration Polling - Generic	This playbook polls all indicators to check if they exist.
Integration Troubleshooting	Troubleshoot a problem with either an integration's configuration or with running a command.
Integrations and Incidents Health Check - Running Scripts	This playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for running failed integrations and failed incidents scripts. The playbook may run separately from the main playbook to run health tests on enabled integrations and open incidents.
Intense SSO failures with suspicious characteristics	This playbook addresses the following alert: - Intense SSO failures with suspicious characteristics. Playbook Stages: Triage: - Collect additional alert data. - Retrieve IP reputation. - Analyze identity count and IP reputation: - If failures involve many users and the IP is not malicious, the alert is likely a false positive and will be closed automatically. Investigation: - Identify users with successful logins. - Check risk indicators for affected users. - Search for related alerts. - Analyze authentication patterns for automation. - Retrieve Azure and Core risk scores. - Extract security alerts linked to affected users. - Check for Suspicious Evidence, including: - Blocked sign-ins from a malicious IP. - Related security incidents and high-risk IP reputation. - Risk detections from Azure and Core. - Suspicious authentication targeting admin portals (e.g., Azure Portal, Exchange Admin, Microsoft 365 Admin). - The number of distinct identities involved. Containment: - Automatic Actions: - If strong indicators of compromise exist, clear active user sessions. - Analyst Review: - Findings are presented for review. - If user disablement is required, the analyst can select users to disable in Azure AD. - If a user is disabled, the playbook will also clear their active sessions. Requirements: Ensure the following integrations are configured: - Microsoft Graph Identity for Conditional Access and risk scores. - Microsoft Defender for Identity for authentication analysis. - Core for user risk evaluation and alert correlation. - Threat Intelligence Integrations for IP reputation analysis.
Intezer - Analyze by hash	Analyze the given file hash on Intezer Analyze and enrich the file reputation. Supports SHA256, SHA1, and MD5.
Intezer - Analyze File and URL	Analyze Files and URLs on Intezer Analyze
Intezer - Analyze Uploaded file	Upload a file to Intezer Analyze to analyze and enrich the file reputation. (up to 150 MB)
Investigate On Bad Domain Matches - Chronicle	Use this playbook to investigate and remediate Bad IOC domain matches with recent activity found in the enterprise, as well as notify the SOC lead and network team about the matches. Supported Integrations: - Chronicle - Whois - Mail Sender (New) - Palo Alto Networks PAN-OS - Palo Alto Networks AutoFocus v2
IOC Alert	IOCs provide the ability to alert on known malicious objects on endpoints across the organization. Analysis Actions: The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC. Response Actions: The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation Investigative Actions: When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised. Remediation Actions: In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication. This phase will execute the following containment actions: File quarantine Endpoint isolation And the following eradication actions: Manual process termination Manual file deletion
IP Enrichment - External - Generic v2	Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS). - Provide threat information. - IP address reputation using !ip command. - Separate internal and external addresses.
IP Enrichment - External - RST Threat Feed	Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information - Separate internal and external addresses
IP Enrichment - Generic	Deprecated. Enrich IP using one or more integrations. IP enrichment includes: Resolve IP to Hostname (DNS) Threat information Separate internal and external addresses IP reputation * For internal addresses, get host information
IP Enrichment - Generic v2	Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS) - Provide threat information - Determine IP address reputation using the !ip command - Separate internal and external IP addresses - For internal IP addresses, get host information. When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance.
IP Enrichment - Internal - Generic v2	Enrich Internal IP addresses using one or more integrations. - Resolve IP address to hostname (DNS) - Separate internal and external IP addresses - Get host information for IP addresses.
IP Reputation-GreyNoise	Playbook for the ip reputation command
IP Whitelist - AWS Security Group	Sync a list of IP addresses to an AWS Security Group.
IP Whitelist - GCP Firewall	Set a list of IP addresses in GCP firewall.
IP Whitelist And Exclusion - RiskIQ Digital Footprint	Adds the IP Address(es) to allow list after checking if it should be added to allow list according to the user inputs provided. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag.
IQ-HUB Automation	This playbook is used to retrieve real-time detections and progressions data generated by events on different systems present in the network.
Ironscales-Classify-Incident	Classify an Ironscales incident
Isolate Endpoint - Cybereason	This playbook isolates a machine based on the hostname provided.
Isolate Endpoint - Generic	Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead.
Isolate Endpoint - Generic V2	This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.
IT - Employee Offboarding	This playbook offboards company employees to maintain organizational security and prevent abuse of company resources. It streamlines the process of returning company property, delegates resources to the employee's manager, retains important data that is in possession of the employee, and deletes the user and user information if chosen to do so.
IT - Employee Offboarding - Manual	This playbook provides a manual alternative to the IT - Employee Offboarding playbook. The playbook guides the user in the process of manually offboarding an employee.
Ivanti Critical Vulnerabilities	Ivanti has recently disclosed four critical vulnerabilities in their VPN devices, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, with active exploitation reported. These security flaws impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, including versions 9.x and 22.x, and Ivanti Neurons for ZTA. #### Disclosed Vulnerabilities CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials. CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution. CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights. CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources. The combination of these vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, facilitates attackers to execute commands on the compromised system sans authentication, posing a significant security risk. Organizations utilizing affected Ivanti products are urged to apply mitigations and patches to safeguard their systems against potential exploits. This playbook should be triggered manually or can be configured as a job. IoCs Collection - Unit42 IoCs download Hunting - PANW Hunting: - Panorama Threat IDs hunting - Cortex Xpanse issues hunting - Indicators hunting - Endpoints by CVE hunting Mitigations Ivanti recommended workaround and patch. References Unit42 Threat Brief: Multiple Ivanti Vulnerabilities CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Jira Change Management	If you are using PAN-OS/Panorama firewall and Jira as a ticketing system, this playbook will be a perfect match for your change management for firewall process. This playbook is triggered by afetch from Jira and will help you manage and automate your change management process.
Jira Ticket State Polling	Use Jira Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the Jira ticket state is either resolved or closed. This playbook implements polling by continuously running the jira-get-issue command until the state is either resolved or closed.
JOB - Cortex XDR query endpoint device control violations	A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly: 1. Create a new recurring job. 2. Configure the recurring schedule. 3. Add a name. 4. Configure the type to XDR Device Control Violations. 5. Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.
JOB - Integrations and Incidents Health Check	You should run this playbook as a scheduled job. The playbook checks the health of all enabled integrations and open incidents.
JOB - Integrations and Incidents Health Check - Lists handling	This playbook is triggered by a 'JOB - Integrations and Playbooks Health' playbook and is responsible for creating or updating related XSOAR lists.
JOB - PANW NGFW TS Agent Cleanup	Run this playbook as a job to cleanup disconnected TS Agents
JOB - Popular News	Playbook can be run ad-hoc or as a Job to fetch results from Popular News sites
JOB - XSOAR - Export Selected Custom Content	This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content. Then you can import this new zip on the other XSOAR server. Create a Job with the Type “XSOAR Dev to Prod”, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs
JOB - XSOAR - Simple Dev to Prod	This playbook is intended to be run as an adhoc job to quickly create a custom content bundle with only selected items from the servers custom content. You can import this new zip on the other XSOAR server, or push it to production using the Core REST API integration. Please ensure to read the setup instructions for this pack carefully. Create a Job with the Type “XSOAR Dev to Prod”, and select this playbook to get started. For more information on Jobs: https://xsoar.pan.dev/docs/incidents/incident-jobs
JOB - XSOAR EDL Checker	This playbook executes the XSOAR EDL Checker automation and will send email notification when an EDL is not functioning. Run this playbook as a job to monitor your EDLs.
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Kenna - Search and Handle Asset Vulnerabilities	This playbook accepts an asset, then searches for vulnerabilities on that asset using the Kenna integration. If a vulnerability exists, it looks for relevant patches, lets the analyst deploy them and then generates an investigation summary report.
Large Upload Alert	The playbook investigates Cortex XDR alerts involving large upload alerts. The playbook consists of the following procedures: - Searches for similar previous alerts that were closed as false positives. - Enrichment and investigation of the initiator and destination hostname and IP address. - Enrichment and investigation of the initiator user, process, file, or command if it exists. - Detection of related indicators and analysis of the relationship between the detected indicators. - Utilize the detected indicators to conduct threat hunting. - Blocks detected malicious indicators. - Endpoint isolation. This playbook supports the following Cortex XDR alert names: - Large Upload (Generic) - Large Upload (SMTP) - Large Upload (FTP) - Large Upload (HTTPS)
Launch Adhoc Command Generic - Ansible Automation Platform	Generic polling playbook for runing ad hoc commands. Ad-hoc commands in Ansible allows you to execute simple tasks at the command line against one or all of your hosts. This playbook first launchrd an ad hoc command, then reportd the status of the task when it finishes running, and at the end returns the output of the task.
Launch And Fetch Compliance Policy Report - Qualys	Launches a compliance policy report and then fetches the report when it's ready.
Launch And Fetch Compliance Report - Qualys	Launches a compliance report and fetches the report when it's ready.
Launch And Fetch Host Based Findings Report - Qualys	Launches a host based report and fetches the report when it's ready.
Launch And Fetch Map Report - Qualys	Launches a map scan report and fetches the report when it's ready.
Launch And Fetch Patch Report - Qualys	Launches a patch report and fetches the report when it's ready.
Launch And Fetch PC Scan - Qualys	Launches a PC scan and fetches the scan when it's ready.
Launch And Fetch Remediation Report - Qualys	Launches a remediation report and fetches the report when it's ready.
Launch And Fetch Scan Based Findings Report - Qualys	Launches a scan based report and fetcesh the report when it's ready.
Launch And Fetch Scheduled Report - Qualys	Launches a scheduled report and fetches the report when it's ready.
Launch And Fetch VM Scan - Qualys	Launches a scan and fetches the scan when it's ready.
Launch Job - Ansible Automation Platform	Generic polling playbook to launch a specific job template. Returns the job status when the job finishes running.
Launch Scan - Tenable.sc	Deprecated. Use tenable-sc-launch-scan-report command instead.
List Cisco Stealthwatch Security Events	This playbook lists security events and returns the results to the context.
List Device Events - Chronicle	This playbook receives ChronicleAsset identifier information and provides a list of events related to each one of them. Supported integration: - Chronicle
Local Analysis alert Investigation	When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan that is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion * Manual reset of the user’s password External resources: Malware Protection Flow
LogPoint SIEM Playbook	LogPoint SIEM Playbook guides users on use cases like blocking IP and domain and disabling users using products like CheckPoint Firewall, Active Directory, and VirusTotal. The actions depicted in the playbook helps analysts create their playbooks based on actual requirements and products deployed. (Available from Cortex XSOAR 6.0.0).
Logrhythm - Search query	This playbook used generic polling to gets query result using the command: lr-execute-search-query
LogRhythmRestV2 - Search query	This playbook used generic polling to get query results using the command: lr-execute-search-query.
Logz.Io Handle Alert	Handles a Logz.io Alert by retrieving the events that generated it.
Logz.io Indicator Hunting	This playbook queries Logz.io in order to hunt indicators such as File Hashes IP Addresses Domains \ URLS And outputs the related users, IP addresses, host names for the indicators searched.
Lost / Stolen Device Playbook	This manual playbook handles an incident for a lost or stolen device. It guides the analyst through various steps to validate the type of device and its contents, and the required steps for response and remediation. Initial incident details should be the name of the reporting person or ID of the SIEM alert/incident, and description of the lost device.
LSASS Credential Dumpin	This playbook is focused on detecting Credential Dumping attack as researched by Accenture Security analysts and engineers.
Malcore alert related file	This playbook fetch a malcore alert from a GCenter, retrieve the associated suspicious file and checks the SHA256 reputation using VirusTotal integration.
Malware Investigation & Response Incident Handler	This playbook is triggered by a malware incident from an endpoint integration. It performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and EDR integrations grab all additional data. Currently supported EDR integrations are XDR, CrowdStrike Falcon, and Microsoft Defender for Endpoint. Currently supported SIEM integrations are QRadar and Splunk.
Malware Investigation - Generic	Deprecated. Use "Endpoint Malware Investigation - Generic" playbook instead. Investigate a malware using one or more integrations
Malware Investigation - Generic - Setup	Deprecated. Verify file sample and hostname information for the "Malware Investigation - Generic" playbook. If the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations
Malware Investigation - Manual	Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') Master playbook for investigating suspected malware presence on an endpoint. Labels: - System: the hostname for the endpoint being investigated
Malware Investigation and Response - Set Alerts Grid	This playbook sets the alert grid for the Malware Investigation & Response layout.
Malware Playbook - Manual	Deprecated. Use "Malware Investigation - Manual" playbook instead. Master playbook for investigating suspected malware presence on an endpoint. Labels: - System: the hostname for the endpoint being investigated
Malware SIEM Ingestion - Get Incident Data	This playbook handles incident ingestion from the SIEM. The user provides which EDR system to use, the field containing the incident ID or detection ID, and the field indicating whether the ingested item is an incident or detection.
Malware Triage - ReversingLabs TitaniumCloud	Provides the TitaniumCloud classification of a file hash, and takes remediation actions based on that classification.
MAR - Endpoint data collection	Use McAfee Active Response to collect data from an endpoint for IR purposes (requires ePO as well). Input: * Hostname (Default: ${Endpoint.Hostname})
McAfee ePO Endpoint Compliance Playbook	Deprecated. Use "McAfee ePO Endpoint Compliance Playbook v2" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures
McAfee ePO Endpoint Compliance Playbook v2	Discover endpoints that are not using the latest McAfee AV signatures.
McAfee ePO Endpoint Connectivity Diagnostics Playbook v2	Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to a valid state.
McAfee ePO Repository Compliance Playbook	Deprecated. Use "McAfee ePO Repository Compliance Playbook v2" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
McAfee ePO Repository Compliance Playbook v2	Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
MDE - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in Microsoft Defender for Endpoint. The playbook uses the integration "Microsoft Defender for Endpoint".
MDE - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles closing false positive incidents for Microsoft Defender for Endpoint.
MDE - Host Advanced Hunting	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature based on the provided inputs.
MDE - Host Advanced Hunting For Network Activity	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host network activity.
MDE - Host Advanced Hunting For Persistence	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host persistence evidence.
MDE - Host Advanced Hunting For Powershell Executions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.
MDE - Pro-Active Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook supports investigation actions for the analyst, including: - Running a full AV scan for a specific endpoint - Requesting an investigation package (a zip file containing forensic data with a size of ~ 15MB) from an endpoint. - Requesting to run automatic investigation on an endpoint.
MDE - Retrieve File	This playbook is part of the ‘Malware Investigation And Response’ pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Live Response feature to retrieve a file from an endpoint. The playbook supports a supplied machine id as an input. Otherwise, it will take the Device ID incident field. The playbook supports only one element to be retrieved for each task (if needed more then one - use the playbook loop feature).
MDE - Search And Block Software	This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
MDE - Search and Compare Process Executions	This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes", input the playbook should receive an array that contains the following keys: - value: process name - commands: command-line arguments
MDE - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This Playbook handles closing a true positive incident for Microsoft Defender for Endpoint.
MDE Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.
MDE Malware - Investigation and Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Microsoft Defender For Endpoint malware alerts. It uses - Microsoft Defender For Endpoint Advanced Hunting - Command Line Analysis - Deduplication - Sandbox hash search and detonation - Proactive investigation actions (AV scan, investigation package collection, running automated investigation on an endpoint) - Microsoft Defender For Endpoint alert enrichment - Incident handling (true/false positive)
MDE SIEM ingestion - Get Incident Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the incident fields containing the alert ID. This playbook also enables changing the severity according to a user-defined scale to override the default assigned severity.
Message Quarantine - Cofense Vision	This playbook allows users to quarantine various messages that meet their specified criteria.
Microsoft 365 Defender - Emails Indicators Hunt	This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.
Microsoft 365 Defender - Get Email URL Clicks	This playbook retrieves email data based on the `URLDomain` and `MessageID` inputs. It uses the Microsoft 365 Defender's Advanced Hunting to search only for URL click events based on the playbook inputs and enriches it with the full email data. URLDomain - If the “URLDomain” value is found as a substring of the URL(s) in the body of the email, the email is retrieved. MessageID - The message ID of the email from which the URL was clicked. Note that this can be either of the following 2 values: - The value of the header "Message-ID". - The internal ID of the message within Microsoft's products (e.g., NetworkMessageId). Can be a single MessageID or an array of MessageIDs to search.
Microsoft 365 Defender - Threat Hunting Generic	This playbook retrieves email data based on the `URLDomain`, `SHA256`, `IPAddress`. and `MessageID` inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs: - Microsoft 365 Defender - Get Email URL clicks: Retrieves data based on URL click events. - Microsoft 365 Defender - Emails Indicators Hunt: Retrieves data based on several different email events. Read the playbook's descriptions in order to get the full details.
Microsoft Defender Advanced Threat Protection Get Machine Action Status	This playbook used generic polling to get machine action information.
Microsoft Defender For Endpoint - Collect investigation package	This playbook simplifies retrieving investigation packages to Cortex XSOAR from supported machines (See https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide). The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSOAR console. Note: This action may take time, the average package size is around ~15 MB.
Microsoft Defender For Endpoint - Isolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and isolates it using the Microsoft Defender For Endpoint integration.
Microsoft Defender for Endpoint - Malware Detected	This playbook investigates “Malware detected by Microsoft Defender for Endpoint” by gathering Hash and User information and performing remediation based on the information gathered and received from the enrichment. Used Sub-playbooks: * Enrichment for Verdict To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = Malware detected by Microsoft Defender for Endpoint
Microsoft Defender For Endpoint - Unisolate Endpoint	This playbook accepts an endpoint ID, IP, or host name and unisolates it using the Microsoft Defender For Endpoint integration.
Microsoft Office File Enrichment - Oletools	Oletools is a tool for analyzing Microsoft OLE2 files, such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics, and debugging. This playbook will run run the "oleid" command on the files which are passed to to it as playbook inputs. In case any macros or external relationships were found, it will also run "olevba" and "oleobj" commands as well on the relevant files. oleid - Analyze OLE files to detect specific characteristics usually found in malicious files. oleobj - Extract embedded objects from OLE files. olevba - Extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
Mimecast - Block Sender Domain	A playbook to block sender domain name using Mimecast integration.
Mimecast - Block Sender Email	A playbook to block sender email address using Mimecast integration.
Mirror Jira Ticket	Mirror Jira Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with Jira.
Mirror ServiceNow Ticket	Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page.
MITRE ATT&CK - Courses of Action	This is the parent playbook, which contains all phases and remediates MITRE ATT&CK techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. The playbook utilizes several other MITRE ATT&CK remediation playbooks. The playbook follows the MITRE ATT&CK kill chain phases and takes action to protect the organization from the inputted techniques, displaying and implementing security policy recommendations for Palo Alto Networks products. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Possible playbook triggers: - The playbook can be triggered by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, using the "MITRE ATT&CK - Courses of Action - Job" playbook. - The playbook can be triggered manually for specific MITRE ATT&CK techniques using the ‘techniqueByIncident’ playbook input. - An incident that contains MITRE ATT&CK technique IDs using the ‘techniqueByIncident’ playbook input.
MITRE ATT&CK - Courses of Action Trigger Job	This is a wrapper playbook for the "MITRE ATT&CK - Courses of Action" use-case. Possible playbook triggers: - Through a job, by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, or with custom inputs. - Through an incident, using custom playbook inputs. Once triggered, the playbook will create a new incident from type "MITRE ATT&CK CoA". The incident will trigger the playbook "MITRE ATT&CK - Courses of Action", which contains all phases and remediates MITRE ATT&CK techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
MITRE ATT&CK CoA - T1003 - OS Credential Dumping	This playbook Remediates the OS Credential Dumping technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1003: OS Credential Dumping Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and to access restricted information. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1005 - Data from Local System	This playbook Remediates the Data from Local System technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1005: Data from Local System Kill Chain phases: - Collection MITRE ATT&CK Description: Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol	This playbook Remediates the Remote Desktop Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1021.001: Remote Desktop Protocol Kill Chain phases: - Lateral Movement MITRE ATT&CK Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information	This playbook Remediates the Obfuscated Files or Information technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1027: Obfuscated Files or Information Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel	This playbook Remediates the Exfiltration Over C2 Channel technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1041: Exfiltration Over C2 Channel Kill Chain phases: - Exfiltration MITRE ATT&CK Description: Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol	This playbook Remediates the Exfiltration Over Alternative Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1048: Exfiltration Over Alternative Protocol Kill Chain phases: - Exfiltration MITRE ATT&CK Description: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1057 - Process Discovery	This playbook Remediates the Process Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1057: Process Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter	This playbook Remediates the Command and Scripting Interpreter technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1059: Command and Scripting Interpreter Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1059.001 - PowerShell	This playbook Remediates the Command and Scripting Interpreter technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1059.001: Command and Scripting Interpreter: PowerShell Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation	This playbook Remediates the Exploitation for Privilege Escalation technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1068: Exploitation for Privilege Escalation Kill Chain phases: - Privilege Escalation MITRE ATT&CK Description: Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1071 - Application Layer Protocol	This playbook Remediates the Application Layer Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1071: Application Layer Protocol Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1078 - Valid Accounts	This playbook Remediates the Valid Accounts technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1078: Valid Accounts Kill Chain phases: - Defense Evasion - Persistence - Privilege Escalation - Initial Access MITRE ATT&CK Description: Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1082 - System Information Discovery	This playbook Remediates the System Information Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1082: System Information Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1083 - File and Directory Discovery	This playbook Remediates the File and Directory Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1083: File and Directory Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1105 - Ingress tool transfer	This playbook Remediates the Ingress tool transfer technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1105: Ingress tool transfer Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1110 - Brute Force	This playbook Remediates the Brute Force technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1110 : Brute Force Kill Chain phases: - Credential Access MITRE ATT&CK Description: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1133 - External Remote Services	This playbook Remediates the External Remote Services technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1133: External Remote Services Kill Chain phases: - Persistence - Initial Access MITRE ATT&CK Description: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1135 - Network Share Discovery	This playbook Remediates the Network Share Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1135: Network Share Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. [1][2] Net can be used to query a remote system for available shared drives using the net view \remotesystem command. It can also be used to query shared drives on the local system using net share. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1189 - Drive-by Compromise	This playbook Remediates the Drive-by Compromise technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1189: Drive-by Compromise Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1199 - Trusted Relationship	This playbook Remediates the Trusted Relationship technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1199: Trusted Relationship Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1204 - User Execution	This playbook Remediates the User Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1204: User Execution Kill Chain phases: - Execution MITRE ATT&CK Description: An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact	This playbook Remediates the Data Encrypted for Impact technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1486: Data Encrypted for Impact Kill Chain phases: - Impact MITRE ATT&CK Description: Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR. To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1518 - Software Discovery	This playbook Remediates the Software Discovery technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1518: Software Discovery Kill Chain phases: - Discovery MITRE ATT&CK Description: Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1543.003 - Windows Service	This playbook Remediates the Windows Service technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1543.003: Create or Modify System Process: Windows Service Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution	This playbook Remediates the Boot or Logon Autostart Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1547: Boot or Logon Autostart Execution Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder	This playbook Remediates the Registry Run Keys / Startup Folder technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Kill Chain phases: - Persistence - Privilege Escalation MITRE ATT&CK Description: Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. [1] These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1560.001 - Archive via Utility	This playbook Remediates the Data Encrypted technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1560.001: Archive Collected Data: Archive via Utility Kill Chain phases: - Exfiltration MITRE ATT&CK Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip[1], WinRAR[2], and WinZip[3]. Most utilities include functionality to encrypt and/or compress data. Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools	This playbook Remediates the Disable or Modify Tools technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1562.001: Impair Defenses: Disable or Modify Tools Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes	This playbook Remediates the NTFS File Attributes technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1564.004: NTFS File Attributes Kill Chain phases: - Defense Evasion MITRE ATT&CK Description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1566 - Phishing	This playbook Remediates the Phishing technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1566: Phishing Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment	This playbook Remediates the Spear-Phishing Attachment technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1566.001: Spear-Phishing Attachment Kill Chain phases: - Initial Access MITRE ATT&CK Description: Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1569.002 - Service Execution	This playbook Remediates the Service Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - T1569.002: System Services: Service Execution Kill Chain phases: - Execution MITRE ATT&CK Description: Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2] Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography	This playbook Remediates the Standard Cryptographic Protocol technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs). Techniques Handled: - 1573.002: Encrypted Channel: Asymmetric Cryptography Kill Chain phases: - Command And Control MITRE ATT&CK Description: Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography. Possible playbook uses: - The playbook can be used independently to handle and remediate the specific technique. - The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.
Mitre Attack - Extract Technique Information From ID	This playbook accepts as input MITRE techniques IDs. It returns the MITRE technique name and full technique data using the MITRE integration.
MockPlaybook
MockSubplaybook
Modify EDL	Adds indicators to or removes indicators from an external dynamic list (EDL) by adding or removing an indicator tag. The EDL itself is generated by using the Cortex XSOAR Generic Export Indicators Service integration and querying on a tag in the Indicator Query parameter. Incident fields that control the behavior of this playbook: - EDL Action: Whether to add or remove EDL indicators. - EDL Indicators List: Input list of indicators to add to or remove from EDL (according to the value of EDL Action). - EDL Tag: Tag value in the Generic Export Indicators Service integration instance Indicator Query, which controls which indicators are on the EDL. - EDL Indicator Type: (Only relevant if adding to EDL) Type of indicators to add to EDL.
Msiexec execution of an executable from an uncommon remote location	This playbook addresses the following alerts: - Msiexec execution of an executable from an uncommon remote location with a specific port - Msiexec execution of an executable from an uncommon remote location without properties Playbook Stages: Analysis: - Check extracted URL reputation: - Determine if the MSI package was installed from a malicious source - If the URL is found to be malicious, the playbook will proceed directly to remediation steps Investigation: - Check extracted domain's prevalence and causality process signature status: - Evaluate the prevalence of the domain from which the MSI package was downloaded - Verify if the causality process (CGO) is signed or unsigned - If the domain is found malicious and the causality process is unsigned, the playbook will proceed directly to remediation steps - Check for the following related alerts: - Local Analysis Malware - Mitre Techniques: - T1140 - Deobfuscate/Decode Files or Information - T1059 - Command and Scripting Interpreter - Analyze CGO command line for defense evasion techniques: - Evaluate the command line for suspicious patterns which indicates attempts to bypass security controls - If the command line contains suspicious patterns or related alerts are found, the playbook will proceed directly to remediation steps Containment: - Terminate causality process - Block maliciou URL (Manual approval) - Implement URL blocking using PAN-OS through Custom URL Categories - Isolate endpoint (Manual approval) Requirements: For any response action, you need the following integration: - PAN-OS.
Netcat Makes or Gets Connections	This playbook is designed to handle the following alerts: - Netcat makes or gets connections The playbook executes the following stages: Analysis: - Investigate the IP and Domain reputation - Search previous similar alerts Remediation: - Handles malicious alerts by terminating the causality process.
NetOps - Firewall Version and Content Upgrade	Network operations playbook that updates the version and content of the firewall. You must have Superuser permissions to update the PAN-OS version.
NetOps - Upgrade PAN-OS Firewall Device	Network operations playbook that upgrades the firewall. You must have Superuser permissions to update the PAN-OS version. Note: This playbook should only be used for minor version upgrades. Major version upgrades will not work due to a change in the API key.
New Hire Auto-Add	Queries stand-up tickets from a ticketing system and passes relevant employee data to the Add Employees to New Hire Watchlist playbook.
New Hire Clean-Up	Queries the New Hire watchlist in Code42 Incydr and passes relevant employee data to the Remove Employees from New Hire Watchlist playbook.
New York - Breach Notification	This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to New York State law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Sources: https://ag.ny.gov/internet/data-breach https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf https://www.nysenate.gov/legislation/laws/GBS/899-AA
Nexpose - Create and Download Report	Use this playbook as a sub-playbook to configure a report and download it. This playbook implements polling by continuously running the `nexpose-get-report-status` command until the operation completes. The remote action should have the following structure: 1. Initiate the operation - insert the type of the report (sites, scan, or assets) and it's additional arguments if required. 2. Poll to check if the operation completed. 3. Get the results of the operation.
NGFW Internal Scan	This playbook investigates a scan where the source is an internal IP address. An attacker might initiate an internal scan for discovery, lateral movement and more. Attacker's Goals: An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services. Investigative Actions: Endpoint Investigation Plan playbook Response Actions The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute: Auto endpoint isolation Manual block indicators Manual file quarantine
NGFW Remove Offline TS Agent	Check if TS Agent server is offline and deregister it from the NGFW
NGFW Scan	This playbook handles external and internal scanning alerts. Attacker's Goals: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Investigative Actions: Investigate the scanner IP address using: IP enrichment: NGFW Internal Scan playbook Endpoint Investigation Plan playbook Entity enrichment Response Actions The playbook's response actions are based on the initial data provided within the alert. In that phase, the playbook will execute: Automatically block IP address Report IP address (If configured as true in the playbook inputs) When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan playbook, is executed. This phase will execute the following containment actions: Automatically isolate involved endpoint Manual block indicators Manual file quarantine Manual disable user External resources: Mitre technique T1046 - Network Service Scanning Port Scan
NIST - Handling an Incident Template	This playbook contains the phases to handling an incident as described in the 'Handling an Incident' section of NIST - Computer Security Incident Handling Guide. Handling an incident - Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
NIST - Lessons Learned	This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
NMAP - Banner Check	Sub-playbook that performs an Nmap scan and compares the results against a regular expression to determine a match. This could be used to look for OpenSSH versions or other OS information found in the banner.
NMAP - Single Port Scan	Sub-playbook that conducts a single port Nmap scan and returns the results to the parent playbook.
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: - Collect IOCs to be used in your threat hunting process - Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts - Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Notify Stock Above Price	This playbook sends a message on Telegram when a stock price rises higher than a predefined price
NSA - 5 Security Vulnerabilities Under Active Nation-State Attack	Deprecated. No available replacement. Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation. This playbook should be trigger manually and includes the following tasks: - Enrich related known CVEs reported in the US agencies alert. - Search for unpatched endpoints vulnerable to the exploits. - Search for vulnerable assets facing the internet using Expanse. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Cyber Security Advisory] (https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF)
O365 - Security And Compliance - Search	This playbook performs the following steps: 1. Creates a compliance search. 2. Starts a compliance search. 3. Waits for the compliance search to complete. 4. Gets the results of the compliance search as an output. 5. Gets the preview results, if specified.
O365 - Security And Compliance - Search Action - Delete	This playbook performs the following steps: 1. Creates a new compliance search action Purge - Hard or Soft. 2. Waits for the compliance search action to complete. 3. Retrieves the delete search action.
O365 - Security And Compliance - Search Action - Preview	This playbook perform: 1. Creates a new compliance search action - Preview (Base on created compliance search). 2. Waits for the preview action to complete. 3. Retrieves the preview results.
O365 - Security And Compliance - Search And Delete	This playbook performs the following steps: 1. Creates a compliance search. 2. Starts a compliance search. 3. Waits for the compliance search to complete. 4. Gets the results of the compliance search. 5. Gets the preview results, if specified. 6. Deletes the search results (Hard/Soft).
Office 365 Search and Delete	Run a ComplianceSearch on Office 365 and delete the results.
Office process creates a scheduled task via file access	This playbook handles "Office process creates a scheduled task via file access" alerts. Playbook Stages: Analysis: During the analysis, the playbook will perform the following: - Checks the Office file path for any suspicious locations. - Checks the initiator process prevalence. - Checks the initiator process reputation. - Extracts the local path of the Office file and runs a script to calculate the Office file hash. - Checks if the hash of the Office file identified as malicious. - Checks if the initiator process is non-prevalent with suspicious reputation or path. Investigation: During the alert investigation, the playbook will perform the following: - Searches for related Cortex XSIAM alerts and insights on the endpoint by specific alert names or by the following MITRE techniques to identify malicious activity: T1055 - Process Injection, T1566 - Phishing. If related alerts are found, the playbook will automatically disable the malicious scheduled task. Remediation: - Automatically disable the malicious scheduled task. - Automatically terminate the causality process. - Quarantine the Office file (requires analyst approval). - Automatically close the alert.
Okta - User Investigation	This playbook performs an investigation on a specific user, using queries and logs from Okta.
Online Brand Protection Detect and Respond	Analyzes the domains and URLs in suspicious emails, reported by end users, to determine if the phishing campaign is impersonating your company’s brand. Playbook can then trigger a domain take down email, with forensic evidence, to a target address.
OpenCTI Create Indicator	Create indicator at OpenCTI.
Palo Alto Networks - Endpoint Malware Investigation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
Palo Alto Networks - Endpoint Malware Investigation v2	Deprecated. Use the "Palo Alto Networks - Endpoint Malware Investigation v3"\ \ playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\ \ generated by Traps. The playbook performs host enrichment for the source host\ \ with Palo Alto Networks Traps, enriches information for the suspicious file with\ \ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\ \ for the extracted file. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. \nThe analyst can\ \ perform a manual memory dump for the suspected endpoint based on the incident’s\ \ severity, and choose to isolate the source endpoint with Traps.\nHunting tasks\ \ to find more endpoints that are infected is performed automatically based on a\ \ playbook input, and after all infected endpoints are found, remediation for all\ \ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\ \ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\ \ Custom URL Categories.\nAfter the investigation review the incident is automatically\ \ closed.
Palo Alto Networks - Endpoint Malware Investigation v3	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
Palo Alto Networks - Hunting And Threat Detection	This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks. The playbook leverages data received by PANW products including, Strata Logging Service, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators. The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.
Palo Alto Networks - Malware Remediation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
Palo Alto Networks BPA - Submit Scan	This playbook accepts a list of BPA checks, triggers a job and returns the checks results.
PAN-OS - Add Anti-Spyware Security Profile To Rule	This playbook is designed to enhance the security level in PAN-OS firewalls by safely adding an Anti-Spyware security profile to a security rule. The playbook provides control over the behavior when a a rule: - Already has an Anti-Spyware profile - Uses a security profile group, with or without an Anti-Spyware profile The output of the playbook is the Anti-Spyware profile configured for the rule upon playbook completion. This can be: - The initial profile, if untouched - A newly overwritten profile - A newly added profile
PAN-OS - Add Domains EDL To Anti-Spyware	This playbook add domains EDL to Panorama Anti-Spyware. It assigns External Dynamic List URLs that contain domains to block to Panorama Anti-Spyware. You can create an External Dynamic List (EDL) and add domains to it using the Cortex XSOAR pack called "Generic Export Indicators Service". We recommend using this playbook as a one-time job. Once EDL is created and assigned to anti-spyware, domains can be blocked by adding them to the EDL.
PAN-OS - Add Static Routes	This playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance.
PAN-OS - Apply Security Profile to Policy Rule	This playbook is used to apply a PAN-OS security profile to a policy rule. The playbook performs the following tasks: - Accepts a rule name to apply the security profile to. - Applies the security profile to the rule if the rule exists. If not, creates the rule and applies. - Commits the configuration.
PAN-OS - Block all unknown and unauthorized applications	This playbook is used to find and remove all rules that allow unauthorized applications communication as any. The playbook performs the following tasks: - Lists PAN-OS policy rules. - Checks for a rule that allows applications as any. - Deletes the rule based on user approval. - Commits the configuration.
PAN-OS - Block Destination Service	This playbook blocks a destination IP and service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS.
PAN-OS - Block Domain - External Dynamic List	Deprecated. Use Generic Export Indicators Service instead.
PAN-OS - Block IP	This playbook blocks IP addresses with 2 optional actions: - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration. - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables analysts to create a rule one time, where the group is the source/destination, and adds IP addresses dynamically without the need to commit the configuration every time. The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag. If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed.
PAN-OS - Block IP - Custom Block Rule	This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration.
PAN-OS - Block IP - Static Address Group	This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration. ***Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.
PAN-OS - Block IP and URL - External Dynamic List	Deprecated. Use "PAN-OS - Block IP and URL - External Dynamic List v2" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists. It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists.
PAN-OS - Block IP and URL - External Dynamic List v2	Deprecated. Use Generic Export Indicators Service instead.
PAN-OS - Block IPs From EDL - Custom Block Rule	This playbook blocks IP addresses from External Dynamic List using Custom Block Rules in Palo Alto Networks Panorama or Firewall. The playbook receives EDL name as input, creates a custom "from" directional rule to block, and commits the configuration.
PAN-OS - Block URL - Custom URL Category	This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories. The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration.
PAN-OS - Configure DNS Sinkhole	This playbook creates a DNS sinkhole in a PAN-OS firewall. It does the following: 1. Finds a security rule that allows DNS traffic from the internal network to the internet using the "Security Policy Match" feature against traffic from the internal DNS server/s to the public DNS server. 2. Creates or adds an existing anti-spyware security profile to the security rule/s that were found. 3. Sets the DNS Signature Source under the DNS Policies configuration of the security profile with the "sinkhole" action. 4. Creates an address object for the sinkhole address so that it can be referenced later in a deny rule (the sinkhole IP constantly rotates). 5. Creates a new security rule to deny traffic to the sinkhole address object, in order to generate traffic logs for the compromised systems. The IPs of the compromised systems can then be retrieved using the "PAN-OS - Extract IPs From Traffic Logs To Sinkhole" playbook. Once the configuration is completed, the playbook will create a Tag object and tag the relevant security rules to indicate that sinkholing is configured. That tag will be checked in consecutive playbook runs in order to minimize the actions done on the firewall and time time spent in the playbook execution. How it works: A DNS sinkhole can be used to identify infected hosts on a network where there is an internal DNS Server in-route to the firewall that causes the reference of the original source IP address of the host that first originated the query to be lost (the query is received by the internal DNS server, and the internal DNS server sources a new query if the name-to-IP resolution is not locally cached). This causes the firewall to report observations of malicious DNS queries in the Threat logs where the source IP of the malicious DNS query is the Internal DNS server, which would force the administrator to look into the DNS Server logs to try to trace down what was the infected host that originally sourced the malicious DNS query. After a security profile with a "sinkhole" action for domains that are listed in the DNS signature source is applied to a rule that allows DNS traffic from the internal server/s to the external one, the threat logs will show that requests from the internal DNS server/s were sinkholed. However, the compromised systems will not appear in those logs. In order to find the IP addresses of those systems, a new rule denying all requests to our sinkhole address needs to be created. Since the infected systems received a forged DNS response (due to the security profile involved in our previous step), they will now try to connect to the sinkhole address, assuming it is their C&C server. The new rule will deny the subsequent attempts of those systems when they try to access the sinkhole address, and log them. Assumptions: - The domains that should be sinkholed are already in a DNS signature source. It can be one of the following sources available in PAN-OS: 1. An existing External Dynamic List (EDL) of type Domain configured in the PAN-OS firewall. Note: XSOAR simplifies the process of creating an EDL, with the Export Generic Indicators Service integration. 2. Palo Alto Networks Content-delivered malicious domains 3. DNS Security Categories available with a DNS Security subscription. - There is at least one internal DNS server that is sending the DNS requests out through the firewall to a specific public DNS server.
PAN-OS - Create Or Edit Rule	Creates or edits a Panorama rule and moves it into the desired position
PAN-OS - Delete Static Routes	This playbook deletes a PAN-OS static route from the PAN-OS instance.
PAN-OS - Enforce Anti-Spyware Best Practices Profile	This playbook enforces the Anti-Spyware Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for DNS Security license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Enforce Anti-Virus Best Practices Profile	This playbook enforces the Anti-Virus Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for Threat Prevention license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Enforce File Blocking Best Practices Profile	This playbook enforces the File Blocking Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Enforce URL Filtering Best Practices Profile	This playbook enforces the URL Filtering Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for URL Filtering license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Enforce Vulnerability Protection Best Practices Profile	This playbook enforces the Vulnerability Protection Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for Threat Prevention license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Enforce WildFire Best Practices Profile	This playbook enforces the WildFire Best Practices Profile as defined by Palo Alto Networks BPA. The playbook performs the following tasks: - Check for WildFire license (If license is not activated, the playbook refers users to their Palo Alto Networks account manager for further instructions). - Get the existing profile information. - Get the best practices profile information. - Check if the best practices profile set by Cortex XSOAR is enforced. (If not, the playbook allows the user to compare the existing profile with the best practices and decide on the action to take). - Create best practices profile. - Apply profile to policy rules on PAN-OS firewall or Panorama.
PAN-OS - Extract IPs From Traffic Logs To Sinkhole	This playbook searches for outgoing traffic to the sinkhole address in PAN-OS. It should be used after a DNS sinkhole was created using the "PAN-OS - Configure DNS Sinkhole" playbook. If a DNS sinkhole was created manually, you should verify in your PAN-OS firewall that there is an address object for the sinkhole FQDN "sinkhole.paloaltonetworks.com", and that there is a rule denying traffic to it from any source. You may specify the name of the deny rule if you know it, or you can let the playbook find the rule automatically.
PAN-OS - Job - Add Malicious Domains To Sinkhole	This TIM playbook should be run as a job. The playbook runs on domain indicators and performs various checks to decide if they should be sinkholed. If a domain is related to a campaign or a threat actor, or if it resolves to a malicious IP or has malware-related tags, the playbook will add a new tag to it in order to sinkhole that domain. The playbook assumes that the user is exporting indicators with the sinkhole tag to an EDL (External Dynamic List) using the Export Generic Indicators Service integration in Cortex XSOAR. That EDL should be connected to PAN-OS. It also assumes that a DNS sinkhole is configured in the PAN-OS firewall. However, these are not required for the sole purpose of tagging the domains. Note: This playbook has inputs from both the "From context data" tab and the "From indicators" tab.
PAN-OS - Job - Remove Malicious Domains From Sinkhole	This playbook should be run as a job. It is used to periodically remove the specified tag from domain indicators. It should be used in conjunction with the "PAN-OS - Job - Add Malicious Domains To Sinkhole" playbook, to stop domains from being sinkholed after a certain amount of time. The idea is that traffic to malicious domains will not be redirected to a sinkhole address forever, as malicious domains tend to lose their malicious properties (become inactive, get taken down, or the malware using them is no longer used or maintained).
PAN-OS Commit Configuration	Deprecated. Use PAN-OS Commit Configuration v2 instead.
PAN-OS Commit Configuration v2	Commit the PAN-OS Panorama or Firewall configuration. If specified as Panorama, it also pushes the Policies to the specified Device Group in the instance.
PAN-OS create or edit policy	This playbook will automate the process of creating or editing a policy. The first task in the playbook checks if there is a security policy that matches the playbook inputs. If there is no security policy that matches, a new policy will be created. If there is a security policy that matches, the user will be able to modify the existing policy or create a new hardened policy.
PAN-OS DAG Configuration	This playbook utilizes the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables analysts to create a rule one time, where the group is the source/destination, and adds IP addresses dynamically without the need to commit the configuration every time. The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag. If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed.
PAN-OS edit policy	This playbook guides the user in the process of editing an existing policy. The playbook sends a data collection form to retrieve the relevant parameters for editing the existing rule.
PAN-OS EDL Service Configuration	Deprecated. No available replacement. This single-run playbook enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service for system indicators, and configures PAN-OS EDL Objects and the respective firewall policy rules. The EDLs will continuously update for each indicator that matches the query syntax input in the playbook (to validate to which indicators the query applied, you need to enter the query syntax from the indicator tab at the top of the playbook inputs window as well). If both the IP and URL indicator types exist in the query, it sorts the indicators into two EDLs, IP and URL. If only one indicator type exists in the query, only one EDL is created. The playbook then creates EDL objects directing to the indicator lists and firewall policy rules in PAN-OS. - It is recommended to configure a dedicated EDL Service instance for the usage of this playbook. - If necessary to edit or update the EDL query after this playbook run, use the panorama-edit-edl command and panorama integration to update the URL containing the indicator query syntax.
PAN-OS EDL Setup	Deprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.
PAN-OS EDL Setup v3	Deprecated. Use Generic Export Indicators Service instead.
PAN-OS Log Forwarding Setup And Configuration	This playbook sets up and maintains log forwarding for the Panorama rulebase. It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy. You can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured.
PAN-OS logging to Strata Logging Service - Action Required	This Playbook initiates the steps needed to investigate the PAN-OS logging to Strata Logging Service problems.
PAN-OS Query Logs For Indicators	This playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP. hash, and url.
PAN-OS Search for Post Quantum Crypto Vuln Sigs	Search Vuln Sigs in Threat Logs for use of Post Quantum Crypto Signatures
PAN-OS to Strata Logging Service Monitoring - Cron Job	This playbook verifies that your FWs sent logs to the Strata Logging Service in the last 12 hours. An email notification will be sent if it's not the case. This playbook is designed to run as a job.
Panorama Query Logs	Query Panorama Logs of types: traffic, threat, url, data-filtering and wildfire.
PanoramaQueryTrafficLogs	Deprecated. Use "PAN-OS Query Logs For Indicators" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device.
PANW - Hunting and threat detection by indicator type	Deprecated. Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead.
PANW - Hunting and threat detection by indicator type V2	Deprecated. Use the "Palo Alto Networks - Hunting And Threat Detection"\ \ playbook instead. Integrations list - Cortex (Traps, PAN-OS, Analytics)\nThis is a multipurpose\ \ playbook used for hunting and threat detection. The playbook receives inputs based\ \ on hashes, IP addresses, or domain names provided manually or from outputs by\ \ other playbooks. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. \nThe output provided\ \ by the playbook facilitates pivoting searches for possibly affected hosts, IP\ \ addresses, or users.
PANW IoT Incident Handling with ServiceNow	This playbook creates a ServiceNow ticket after the incident is enriched by Palo Alto Networks IoT security portal (previously Zingbox Cloud).
PANW IoT ServiceNow Tickets Check	This playbook should be used in a recurring Job to check the ServiceNow ticket status for the Palo Alto Networks IoT (previously Zingbox) alerts or vulnerabilties.
PANW NGFW TS Agent Deployment	Deploy the PANW NGFW TS Agent to a Windows server
PANW Threat Vault - Signature Search	Deprecated. No available replacement.
PCAP Analysis	This playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: Search for specific values in a PCAP file Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation.
PCAP File Carving	This playbook is used to carve (extract) files from within PCAP files and perform enrichment and detonation of the extracted files. Supported PCAP file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. Additional options enable you to filter the files to extract according to the file extension or the actual file type (MIME), and limit the amount of files to extract. Another feature enables you to specify a filter to create a new smaller PCAP file. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Parsing And Indicator Enrichment	This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which indicator types are to be enriched including, email, URLs, IP addresses. The user can specify in the inputs which indicators are internal or that will be treated as internal (not enriched). The user can also specify a specific regex pattern to search for. Another option is to specify the protocol types to be printed to context for data extraction. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and add an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
PCAP Search	This playbook is used to parse and search within PCAP files. Supported file types are pcap, cap, pcapng. The playbook can handle one PCAP file per incident. The user inputs which objects the playbook should search for in the PCAP. The values to search are IP addresses, CIDR ranges, and TCP or UDP ports or protocols. In the event that more than one input type was specified, specify in the QueryOperator input (such as IP addresses and TCP ports) if the PCAP filter query will use an AND or an OR operator between the inputs. Another option is to use advanced filters just like in Wireshark to use refined filters or for objects not specified in other inputs. Additional inputs allow the user to provide the WPA password for decrypting 802.11 (wireless) traffic and adding an RSA certificate to decrypt SSL traffic. To display the results within the relevant incident fields, the playbook needs to run in a PCAP Analysis incident type. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation.
Penfield Assign	This playbook invokes Penfield.AI backend to assign incident to an online analyst.
Pentera Filter And Create Incident	Sub-playbook to select specific entries from the Pentera action report and create incidents for each of the selected entries
Pentera Run Scan
Pentera Run Scan and Create Incidents	This playbook will run a pentera task given the Pentera task name. It will generate the full action report that contains all the actions that Pentera made during the scan, and will create incidents according to the filters in the Pentera Filter and Create incidents playbook.
Phishing - Core	Deprecated. Use Phishing - Core v2 instead.
Phishing - Core v2	This playbook provides a basic response to phishing incidents, including: - Calculating reputation for all indicators - Extracting indicators from email attachments - Calculating severity for the incident based on indicator reputation - Updating the reporting user about investigation status - Enabling manual incident remediation This updated playbook uses: 1) Incident fields instead of labels 2) The "Process Email - Core v2" playbook
Phishing - Create New Incident	This playbook take arguments which will be used to create a new phishing incident. It is needed for scenarios such as creating several incidents based on values stored in the context. In such scenarios, the playbook can be looped.
Phishing - Generic v3	This playbook investigates and remediates a potential phishing incident. It engages with the user who triggered the incident while investigating the incident itself. Note: - Final remediation tasks are manual by default. can be managed by "SearchAndDelete" and "BlockIndicators" inputs. - Do not rerun this playbook inside a phishing incident since it can produce an unexpected result. Create a new incident instead if needed.
Phishing - Get Original Email Loop	When the "Get Original Email - Generic v2" playbook is looped, there is no actual way to distinguish which retrieved file is related to which Message-ID. In order to solve this issue, this playbook will be looped instead and will output the "FileAssociation" key with the File-MessageID association.
Phishing - Handle Microsoft 365 Defender Results	This playbook is used to handle the results from the "Microsoft 365 Defender - Threat Hunting Generic" playbook inside a phishing incident. It performs the following actions: 1) Set the relevant incident fields based on the results, such as "Clicked URLs", "Malicious URL Viewed", and "Malicious URL Clicked". 2) In case the relevant playbook inputs were configured, it will create new incidents for each email returned in the results of the "Microsoft 365 Defender - Threat Hunting Generic" playbook. First, it will try to retrieve the original emails' files and then it will create an incident for each retrieved email. 3) Link the newly created incidents to the main originating incident. Note that this playbook should only be used inside a phishing incident and not as a main playbook.
Phishing - Indicators Hunting	Hunt indicators related to phishing with available integrations and then handle the results. Handling the results will include setting relevant incident fields which will be displayed in the layout and optionally, opening new incidents according to the findings. Current integration in this playbook: - Microsoft 365 Defender (using "Advanced Hunting") Note that this playbook should be used as a sub-playbook inside a phishing incident and not as a main playbook.
Phishing - Machine Learning Analysis	Runs various machine-learning based checks on phishing emails and URLs, in an attempt to predict whether they are phishing or benign. This playbook is available only on Cortex XSOAR.
Phishing - Search Related Incidents (Defender 365)	This playbook should only be used as a sub-playbook inside the "Phishing - Handle Microsoft 365 Defender Results" playbook. It searches through existing Cortex XSOAR incidents based on retrieved email message IDs and returns data only for emails that are not found in existing incidents.
Phishing Alerts - Check Severity	This playbook calculates and assigns the incident severity based on the highest returned severity level from the following calculations: - Email security alert action - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers
Phishing Alerts Investigation	This playbook investigates and remediates potential phishing incidents produced by either an email security gateway or a SIEM product. It retrieves original email files from the email security gateway or email service provider and generates a response based on the initial severity, hunting results, and the existence of similar phishing incidents in XSOAR. No action is taken without an initial approval given by the analyst using the playbook inputs.
Phishing Investigation - Generic	Deprecated. Use "Phishing Investigation - Generic v2" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself. The final remediation tasks are always decided by a human analyst.
Phishing Playbook - Manual	Master playbook for phishing incidents. This playbook is a manual playbook.
PhishingDemo-Onboarding	This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the `on-boarding` integration and configure incidents of type `Phishing`. For more information, refer to the on-boarding walkthroughs in the help section.
PhishLabs - Populate Indicators	This playbook can be used in a job to populate indicators from PhishLabs, according to a defined period of time.
PhishLabs - Whitelist false positives	This playbook can be used in a job to add to the allow list indicators from PhishLabs that were classified as false positives, according to a defined period of time.
PhishUp Mail Scanner	Extracts URLs from mail body and checks URLs with PhishUp. Takes action based on PhishUp results.
PICUS - Attack Validation Automation	Picus Attack Validation Automation
PICUS NG - Simulation Validation Automation	Picus NG Simulation Validation Automation
PII Check - Breach Notification	The playbook checks for all various types of PII, however, each state determines what is considered PII, and which PII requires notification. DISCLAIMER: Please consult with your legal team before implementing this playbook. **Sources: http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82 https://www.nysenate.gov/legislation/laws/GBS/899-AA and more for each state.
Policy Optimizer - Add Applications to Policy Rules	This playbook edits rules with unused applications or rules that are port based, and adds an application to the rule. It is used in PAN-OS - Policy Optimizer playbooks and includes communication tasks to get a rule name and the application to edit from the user.
Policy Optimizer - Generic	This playbook is triggered by the Policy Optimizer incident type, and can execute any of the following sub-playbooks: - Policy Optimizer - Manage Unused Rules - Policy Optimizer - Manage Rules with Unused Applications - Policy Optimizer - Manage Port Based Rules
Policy Optimizer - Manage Port Based Rules	This playbook migrates port-based rules to application-based allow rules to reduce the attack surface and safely enable applications on your network.
Policy Optimizer - Manage Rules with Unused Applications	This playbook helps identify and remove unused applications from security policy rules. If you have application-based security policy rules that allow a large number of applications, you can remove unused applications (applications never seen on the rules) from those rules to allow only applications actually seen in the rule’s traffic. This strengthens your security posture by reducing the attack surface.
Policy Optimizer - Manage Unused Rules	This playbook helps identify and remove unused rules that do not pass traffic in your environment.
Port Scan - External Source	This playbook remediates port scans originating outside of the organization's network.
Port Scan - Generic	Investigates a port scan incident. The incident may originate from outside or within the network. The playbook: - Enriches the hostname and IP address of the attacking endpoint - Escalates the incident in case a critical asset is involved - Hunts malware associated with the alerts across the organization - Blocks detected malware associated with the incident - Blocks IP addresses associated with the malware, if a malicious file was involved - Pivots from the attacking IP to detect and block malicious domains hosted on the IP (for external scan) - Isolates the attacking endpoint (for internal scan) - Allows manual blocking of ports through an email communication task If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively: Splunk - "Splunk Indicator Hunting" QRadar - "QRadar Indicator Hunting v2" Palo Alto Networks Cortex Data Lake/Panorma/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2"
Port Scan - Internal Source	Remediates port scans originating within the network.
Possible External RDP Brute-Force	This playbook investigates a “Possible External RDP Brute Force” XDR Alert by gathering user, IP, and hostname information, and investigating if the following suspicious elements exists: - "IP Reputation" - DBot Score is 2-3 - "Source geolocation" - RDP Connection made from rare geo-location - Related to campaign - IP address is related to campaign, based on TIM module - Hunting results - the hunt for indicators related to the source IP and the related campaign returned results - XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. - Risky User - The user that was identified in the attack was given a medium or high score by the Core integration's ITDR module. - Risky Host - The destination host that was identified in the attack was given a medium or high score by the Core integration's ITDR module. Set verdict method: Critical Element - The "Critical Element" input allows you to select a specific element that, if identified as suspicious, the investigation's final verdict will be deemed a "True Positive". Final Verdict - Each suspicious element is being added to an array called "Suspicious Elements", which is used to count potential security threats. The array size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive". * User Engagement - The "UserEngagementThreshold" input allows you to set the number of suspicious elements that trigger user engagement. When this threshold is met, an email will be sent to the user and their manager asking for authorization of RDP activity. If the RDP activity is not authorized by the user, the investigation's final verdict will be deemed a "True Positive".
Possible External RDP Brute-Force - Set Verdict	This playbook creating an array called "Suspicious Elements", which is used to count potential security threats. The following elements can be added to the array: - "IP Reputation" - DBot Score is 2-3 - "Source geolocation" - RDP Connection made from rare geo-location - Related to campaign - IP address is related to campaign, based on TIM module - Hunting results - the hunt for indicators related to the source IP and the related campaign returned results - XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. - Risky User - one or more risky users are involved in the incident, as identified by the Cortex Core - IR integration's ITDR module. - Risky Host - one or more risky hosts are involved in the incident, as identified by the Cortex Core - IR integration's ITDR module. The array will then be outputted and its size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive."
Post Intrusion Ransomware Investigation	Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: - Encrypted file owner investigation - Endpoint forensic investigation - Active Directory investigation - Timeline of the breach investigation - Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)
Powershell Payload Response	The Powershell Payload Response playbook is designed to be used when file payload executions are detected from an endpoint machines Powershell and begins the remediation process.
Prepare your CTF	This playbook aims to assit in configuring you env for the Capture The Flag (CTF) game.
Prisma Access - Logout User	This playbook forces logout of a specific user and computer from Prisma Access.
Prisma Access - Connection Health Check	Use the Prisma Access integration to run SSH CLI commands and query the connection states for all tunnels. If any tunnels are down - the playbook escalates to a manual task for remediation and provides recommendations on next steps in the task description. The playbook can be run as a job, or triggered from an incoming event to confirm an initial suspicion (such as a tunnel log from Cortex Data Lake) to validate that the issue still exists.
Prisma Access Whitelist Egress IPs on SaaS Services	Retrieve Prisma Access Egress IP for specific geographic zones and populate in security groups within cloud services.
Prisma Cloud - Find AWS Resource by FQDN	Deprecated. Use Prisma Cloud - Find AWS Resource by FQDN v2 instead. Find AWS resources by FQDN using Prisma Cloud inventory. Supported services: EC2, Application Load Balancer, ECS, Route53, CloudFront, S3, API Gateway.
Prisma Cloud - Find AWS Resource by FQDN v2	Find AWS resources by FQDN using Prisma Cloud inventory. Supported services: EC2, Application Load Balancer, ECS, Route53, CloudFront, S3, API Gateway.
Prisma Cloud - Find AWS Resource by Public IP	Deprecated. Use Prisma Cloud - Find AWS Resource by Public IP v2 instead. Find AWS resources by Public IP using Prisma Cloud inventory. Supported services: EC2, Network Load Balancer, ECS, Route53.
Prisma Cloud - Find AWS Resource by Public IP v2	Find AWS resources by Public IP using Prisma Cloud inventory. Supported services: EC2, Network Load Balancer, ECS, Route53.
Prisma Cloud - Find Azure Resource by FQDN	Deprecated. Use Prisma Cloud - Find Azure Resource by FQDN v2 instead. Find Azure resources by FQDN using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, AKS, Azure Web Apps, Azure Storage.
Prisma Cloud - Find Azure Resource by FQDN v2	Find Azure resources by FQDN using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, AKS, Azure Web Apps, Azure Storage.
Prisma Cloud - Find Azure Resource by Public IP	Deprecated. Use Prisma Cloud - Find Azure Resource by Public IP v2 instead. Find Azure resources by Public IP using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, Azure Web Apps.
Prisma Cloud - Find Azure Resource by Public IP v2	Find Azure resources by Public IP using Prisma Cloud inventory. Supported services: Azure VM, Azure Load Balancer, Azure Application Gateway, Azure Web Apps.
Prisma Cloud - Find GCP Resource by FQDN	Deprecated. Use Prisma Cloud - Find GCP Resource by FQDN v2 instead. Find GCP resources by FQDN using Prisma Cloud inventory. Supported services: Cloud DNS.
Prisma Cloud - Find GCP Resource by FQDN v2	Find GCP resources by FQDN using Prisma Cloud inventory. Supported services: Cloud DNS.
Prisma Cloud - Find GCP Resource by Public IP	Deprecated. Use Prisma Cloud - Find GCP Resource by Public IP v2 instead. Find GCP resources by Public IP using Prisma Cloud inventory. Supported services: GCE, Load Balancing, GKE.
Prisma Cloud - Find GCP Resource by Public IP v2	Find GCP resources by Public IP using Prisma Cloud inventory. Supported services: GCE, Load Balancing, GKE.
Prisma Cloud - Find Public Cloud Resource by FQDN	Find Public Cloud resources by FQDN using Prisma Cloud inventory
Prisma Cloud - Find Public Cloud Resource by Public IP	Find Public Cloud resource by Public IP using Prisma Cloud inventory
Prisma Cloud - Find Public Cloud Resource by Public IP v2	Find Public Cloud resource by Public IP using Prisma Cloud inventory
Prisma Cloud - Get Account Owner	Retrieves the details of the owner of a given cloud account from the following playbooks: - Get Cloud Account Owner - Generic - Prisma Cloud - Get Owner By Namespace
Prisma Cloud - Get Owner By Namespace	This playbook will retrieve the potential owners of a runtime audit alert. This is done using the "Namespace" value of the incident in order to query associated resource lists and user roles with associated users. Eventually the playbook returns a list of user objects (if found).
Prisma Cloud - Network API and Anomaly Incidents	This playbook handles incidents of internet exposed services and detect potential risky configurations that can make your cloud environment vulnerable to attacks, and incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise.
Prisma Cloud - RQL Execution	This playbook enables Prisma Cloud RQL Execution from the alert layout.
Prisma Cloud - VM Alert Prioritization	This playbook handles incidents related to dozens of Prisma Cloud public VM alerts. It determines the severity of the ingested alert based on data returned from Cortex XSOAR commands interacting with the Prisma Cloud API and creates new issues in either Slack or Jira, with all of the relevant information. The playbook updates the Cortex XSOAR incident’s layout with information the analyst can use to investigate the alert. It also extracts and enriches indicators using existing configured integrations and then closes the investigation. The flow of this playbook is as following: 1) Check the CSP type. 2) Check whether there's a public IP associated to the instance. In case there is, it will continue to other steps, if not, it will set the severity of the incident to "Low" and will close the incident. 3) Check if there are any vulnerabilities or findings related to the instance. 4) Check if there are any IAM permissions associated to the instance. 5) Set the incident severity based on the results: - Low - No public IP was found. - Medium - Public IP was found, other checks didn't return results. - High - Public IP was found and also one of the other checks returned results. - Critical - Public IP was found and both of the other checks returned results. 6) Notifications and ticketing with 3rd party systems. 7) Close the incident. This playbook will run when a new incident is created with the Prisma Cloud - VM Alert Prioritization incident type which also includes a dedicated layout.
Prisma Cloud Compute - Audit Alert	Deprecated. Use "Prisma Cloud Compute - Audit Alert v3" instead. Default playbook for parsing Prisma Cloud Compute audit alerts
Prisma Cloud Compute - Audit Alert Compliance Enrichment	This is a sub-playbook of the "Prisma Cloud Compute - Audit Alert v2" playbook. Retrieves the following information: - Alert profiles. - Container WAAS policies. - Image compliance issues.
Prisma Cloud Compute - Audit Alert Enrichment	This is a sub-playbook of the "Prisma Cloud Compute - Audit Alert v2" playbook. It does the following: - Runs the "Prisma Cloud - Get Account Owner" playbook in order to retrieve potential owners for the alert. - Sets the incident link to the layout. - Pulls image details and alerts - Pulls host scan results.
Prisma Cloud Compute - Audit Alert v2	Deprecated. Use "Prisma Cloud Compute - Audit Alert v3" instead. Default playbook for parsing and enrichment of Prisma Cloud Compute audit alerts.
Prisma Cloud Compute - Audit Alert v3	Default playbook for parsing and enrichment of Prisma Cloud Compute audit alerts. The playbook has the following sections: Enrichment: - Image details - Similar container events - Owner details - Vulnerabilities - Compliance details - Forensics - Defender logs. Remediation: - Block Indicators - Generic v3 - Cloud Response - Generic - Manual Remediation. Currently, the playbook supports incidents created by Runtime and WAAS triggers.
Prisma Cloud Compute - Audit Alert Vulnerabilities Enrichment	This is a sub-playbook of the "Prisma Cloud Compute - Audit Alert v2" playbook. It creates CVE indicators based on image or host vulnerabilities.
Prisma Cloud Compute - Cloud Discovery Alert	Default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts
Prisma Cloud Compute - Compliance Alert	Deprecated. Use Prisma Cloud Compute - Compliance Alert v2 instead.
Prisma Cloud Compute - Compliance Alert Container Enrichment Loop	This is a sub playbook of the "Prisma Cloud Compute - Compliance Alert v2" playbook. It will loop through all of the given compliance issue IDs and will retrieve the following information for each affected container based on the compliance issue ID: - Container ID - Compliance Issues - Compliance Distribution - Hostname - Image Name - Cloud MetaData The enriched information will be displayed in the layout in a dedicated table under the "Container Compliance Information" tab.
Prisma Cloud Compute - Compliance Alert Host Enrichment Loop	This is a sub-playbook of the "Prisma Cloud Compute - Compliance Alert v2" playbook. It will loop through all of the given compliance issue IDs and will retrieve the following information for each affected host based on the compliance issue ID: - Hostname - Compliance Issues - Compliance Distribution - Cloud MetaData The enriched information will be displayed in the layout in a dedicated table under the "Host Compliance Information" tab.
Prisma Cloud Compute - Compliance Alert Image Enrichment Loop	This is a sub playbook of the "Prisma Cloud Compute - Compliance Alert v2" playbook. It will loop through all of the given compliance issue IDs and will retrieve the following information for each affected image based on the compliance issue ID: - Image ID - Compliance Issues - Compliance Distribution - Hosts - Image Instances - Cloud MetaData The enriched information will be displayed in the layout in a dedicated table under the "Image Compliance Information" tab.
Prisma Cloud Compute - Compliance Alert v2	Playbook for enriching Prisma Cloud Compute compliance alerts. It will handle hosts, images and container compliance alerts. Each sub-playbook in this playbook is dedicated to a specific resource type: host, container or image, and will loop through all of the retrieved Compliance Issue IDs in order to retrieve enriched information about each of the resources. The enriched information will be displayed in the layout under dedicated tabs and includes resources information like hostnames, container ID, image ID, cloud provider info, enriched compliance issue details and more. In addition, the playbook can create and update external ticketing systems for each compliance issue automatically with the relevant enriched information. In order to do so, fill the relevant playbook inputs.
Prisma Cloud Compute - Container Forensics	This is a sub-playbook of the "Prisma Cloud Compute - Audit Alert v2" playbook. Gets the container profile and forensics.
Prisma Cloud Compute - Get Container Events	This is a sub-playbook of the "Prisma Cloud Compute - Audit Alert v2" playbook. - Get container runtime or WAAS events and set it in the layout.
Prisma Cloud Compute - Get Defender Logs	This is a sub-playbook of the “Prisma Cloud Compute - Audit Alert v2” playbook. - Gets defender logs and sets them to layout - Downloads defender logs - Gets defender backups
Prisma Cloud Compute - Jira Compliance Issue	This playbook is a sub-playbook of the "Prisma Cloud Compute - Compliance Alert Host Enrichment Loop" playbook. It creates a new Jira issue or updates an existing Jira issue for each compliance ID retrieved in the original Prisma Cloud compliance alert, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - Jira Ticket (Markdown Table)	This playbook is a sub-playbook of the "Prisma Cloud Compute - Jira Compliance Issue" playbook. It creates a new Jira issue or updates an existing Jira issue with a markdown table for the given compliance ID retrieved from the parent playbook, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - Jira Ticket (XLSX)	This playbook is a sub-playbook of the "Prisma Cloud Compute - Jira Compliance Issue" playbook. It creates a new Jira issue or updates an existing Jira issue with an XLSX file for the given compliance ID retrieved from the parent playbook, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - ServiceNow Compliance Ticket	This playbook is a sub-playbook of the "Prisma Cloud Compute - Compliance Alert Host Enrichment Loop" playbook. It creates a new ServiceNow ticket or updates an existing ServiceNow ticket for each compliance ID retrieved in the original Prisma Cloud compliance alert, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - ServiceNow Ticket (HTML Table)	This playbook is a sub-playbook of the "Prisma Cloud Compute - ServiceNow Compliance Ticket" playbook. It creates a new ServiceNow ticket or updates an existing ServiceNow ticket with an HTML table for the given compliance ID retrieved from the parent playbook, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - ServiceNow Ticket (XLSX)	This playbook is a sub-playbook of the "Prisma Cloud Compute - ServiceNow Compliance Ticket" playbook. It creates a new ServiceNow ticket or updates an existing ServiceNow ticket with an XLSX file for the given compliance ID retrieved from the parent playbook, with enriched data for each resource (host, image or container).
Prisma Cloud Compute - Vulnerability Alert	Default playbook for parsing Prisma Cloud Compute vulnerability alerts
Prisma Cloud Compute Vulnerability and Compliance Reporting	Deprecated. No available replacement.
Prisma Cloud Correlate Alerts	Deprecated. Use Prisma Cloud Correlate Alerts v2 instead. Search alerts in Prisma Cloud for a specific asset ID and, if present in XSOAR, link them.
Prisma Cloud Correlate Alerts v2	Search alerts in Prisma Cloud for a specific asset ID and, if present in Cortex XSOAR, link them.
Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account	AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events).
Prisma Cloud Remediation - AWS CloudTrail Misconfiguration	Deprecated. Use Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 instead. This playbook remediates Prisma Cloud AWS CloudTrail alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - AWS CloudTrail is not enabled in all regions - AWS CloudTrail Trail Is Not Integrated With CloudWatch Logs - AWS CloudTrail is not enabled on the account
Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2	This playbook remediates Prisma Cloud AWS CloudTrail alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - AWS CloudTrail is not enabled in all regions - AWS CloudTrail Trail Is Not Integrated With CloudWatch Logs - AWS CloudTrail is not enabled on the account.
Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration	This playbook remediates the following Prisma Cloud AWS CloudTrail alerts. Prisma Cloud policies remediated: - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - AWS CloudTrail is not enabled in all regions.
Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration	Deprecated. Use Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 instead. This playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation: - AWS Default Security Group Does Not Restrict All Traffic - AWS Security Groups Allow Internet Traffic - AWS Security Groups With Inbound Rule Overly Permissive To All Traffic - AWS Security Groups allow internet traffic from internet to FTP-Data port (20) - AWS Security Groups allow internet traffic from internet to FTP port (21) - AWS Security Groups allow internet traffic to SSH port (22) - AWS Security Group allows all traffic on SSH port (22) - AWS Security Groups allow internet traffic from internet to Telnet port (23) - AWS Security Groups allow internet traffic from internet to SMTP port (25) - AWS Security Groups allow internet traffic from internet to DNS port (53) - AWS Security Groups allow internet traffic from internet to Windows RPC port (135) - AWS Security Groups allow internet traffic from internet to NetBIOS port (137) - AWS Security Groups allow internet traffic from internet to NetBIOS port (138) - AWS Security Groups allow internet traffic from internet to CIFS port (445) - AWS Security Groups allow internet traffic from internet to SQLServer port (1433) - AWS Security Groups allow internet traffic from internet to SQLServer port (1434) - AWS Security Groups allow internet traffic from internet to MYSQL port (3306) - AWS Security Groups allow internet traffic from internet to RDP port (3389) - AWS Security Groups allow internet traffic from internet to MSQL port (4333) - AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432) - AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) - AWS Security Groups allow internet traffic from internet to VNC Server port (5900)
Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2	This playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation: - AWS Default Security Group Does Not Restrict All Traffic (policy id: 2378dbf4-b104-4bda-9b05-7417affbba3f) - AWS Security Group allows all traffic on SSH port (22) (policy id: 617b9138-584b-4e8e-ad15-7fbabafbed1a) - AWS Security Groups allow internet traffic from internet to RDP port (3389) (policy id: b82f90ce-ed8b-4b49-970c-2268b0a6c2e5).
Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration	This playbook remediates the Prisma Cloud AWS EC2 alerts generated by the following policies: - AWS Default Security Group Does Not Restrict All Traffic - AWS Security Group allows all traffic on SSH port (22).
Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration	This playbook remediates the following Prisma Cloud AWS IAM password policy alerts. Prisma Cloud policies remediated: - AWS IAM password policy allows password reuse - AWS IAM password policy does not expire in 90 days - AWS IAM password policy does not have a lowercase character - AWS IAM password policy does not have a minimum of 14 characters - AWS IAM password policy does not have a number - AWS IAM password policy does not have a symbol - AWS IAM password policy does not have a uppercase character - AWS IAM password policy does not have password expiration period - AWS IAM Password policy is insecure
Prisma Cloud Remediation - AWS IAM Policy Misconfiguration	Deprecated. Use Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 instead. This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps.
Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2	This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps.
Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days	To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time. To remediate Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password.
Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port	This playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked.
Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration	This playbook remediates the following Prisma Cloud Azure AKS cluster alerts. Prisma Cloud policies remediated: - Azure AKS cluster monitoring not enabled - Azure AKS cluster HTTP application routing enabled
Prisma Cloud Remediation - Azure AKS Misconfiguration	Deprecated. Use Prisma Cloud Remediation - Azure AKS Misconfiguration v2 instead. This playbook remediates Prisma Cloud Azure AKS alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure AKS cluster monitoring not enabled - Azure AKS cluster HTTP application routing enabled
Prisma Cloud Remediation - Azure AKS Misconfiguration v2	This playbook remediates Prisma Cloud Azure AKS alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure AKS cluster monitoring not enabled - Azure AKS cluster HTTP application routing enabled
Prisma Cloud Remediation - Azure Network Misconfiguration	Deprecated. Use Prisma Cloud Remediation - Azure Network Misconfiguration v2 instead. This playbook remediates Prisma Cloud Azure Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol - Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 - Azure Network Security Group (NSG) allows traffic from internet on port 3389 - Azure Network Security Group allows DNS (TCP Port 53) - Azure Network Security Group allows FTP (TCP Port 21) - Azure Network Security Group allows FTP-Data (TCP Port 20) - Azure Network Security Group allows MSQL (TCP Port 4333) - Azure Network Security Group allows MySQL (TCP Port 3306) - Azure Network Security Group allows Windows RPC (TCP Port 135) - Azure Network Security Group allows Windows SMB (TCP Port 445) - Azure Network Security Group allows PostgreSQL (TCP Port 5432) - Azure Network Security Group allows SMTP (TCP Port 25) - Azure Network Security Group allows SqlServer (TCP Port 1433) - Azure Network Security Group allows Telnet (TCP Port 23) - Azure Network Security Group allows VNC Listener (TCP Port 5500) - Azure Network Security Group allows all traffic on ICMP (Ping) - Azure Network Security Group allows CIFS (UDP Port 445) - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - Azure Network Security Group allows DNS (UDP Port 53)
Prisma Cloud Remediation - Azure Network Misconfiguration v2	This playbook remediates Prisma Cloud Azure Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol - Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 - Azure Network Security Group (NSG) allows traffic from internet on port 3389 - Azure Network Security Group allows DNS (TCP Port 53) - Azure Network Security Group allows FTP (TCP Port 21) - Azure Network Security Group allows FTP-Data (TCP Port 20) - Azure Network Security Group allows MSQL (TCP Port 4333) - Azure Network Security Group allows MySQL (TCP Port 3306) - Azure Network Security Group allows Windows RPC (TCP Port 135) - Azure Network Security Group allows Windows SMB (TCP Port 445) - Azure Network Security Group allows PostgreSQL (TCP Port 5432) - Azure Network Security Group allows SMTP (TCP Port 25) - Azure Network Security Group allows SqlServer (TCP Port 1433) - Azure Network Security Group allows Telnet (TCP Port 23) - Azure Network Security Group allows VNC Listener (TCP Port 5500) - Azure Network Security Group allows all traffic on ICMP (Ping) - Azure Network Security Group allows CIFS (UDP Port 445) - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - Azure Network Security Group allows DNS (UDP Port 53).
Prisma Cloud Remediation - Azure Network Security Group Misconfiguration	This playbook remediates the following Prisma Cloud Azure Network security group alerts. Prisma Cloud policies remediated: - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol - Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol - Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 - Azure Network Security Group (NSG) allows traffic from internet on port 3389 - Azure Network Security Group allows DNS (TCP Port 53) - Azure Network Security Group allows FTP (TCP Port 21) - Azure Network Security Group allows FTP-Data (TCP Port 20) - Azure Network Security Group allows MSQL (TCP Port 4333) - Azure Network Security Group allows MySQL (TCP Port 3306) - Azure Network Security Group allows Windows RPC (TCP Port 135) - Azure Network Security Group allows Windows SMB (TCP Port 445) - Azure Network Security Group allows PostgreSQL (TCP Port 5432) - Azure Network Security Group allows SMTP (TCP Port 25) - Azure Network Security Group allows SqlServer (TCP Port 1433) - Azure Network Security Group allows Telnet (TCP Port 23) - Azure Network Security Group allows VNC Listener (TCP Port 5500) - Azure Network Security Group allows all traffic on ICMP (Ping) - Azure Network Security Group allows CIFS (UDP Port 445) - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - Azure Network Security Group allows DNS (UDP Port 53)
Prisma Cloud Remediation - Azure SQL Database Misconfiguration	This playbook remediates the following Prisma Cloud Azure SQL database alerts. Prisma Cloud policies remediated: - Azure SQL database auditing is disabled - Azure SQL Database with Auditing Retention less than 90 days - Azure Threat Detection on SQL databases is set to Off - Azure SQL Database with Threat Retention less than or equals to 90 days
Prisma Cloud Remediation - Azure SQL Misconfiguration	Deprecated. Use Prisma Cloud Remediation - Azure SQL Misconfiguration v2 instead. This playbook remediates Prisma Cloud Azure SQL alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure SQL database auditing is disabled - Azure SQL Database with Auditing Retention less than 90 days - Azure Threat Detection on SQL databases is set to Off - Azure SQL Database with Threat Retention less than or equals to 90 days
Prisma Cloud Remediation - Azure SQL Misconfiguration v2	This playbook remediates Prisma Cloud Azure SQL alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure SQL database auditing is disabled - Azure SQL Database with Auditing Retention less than 90 days - Azure Threat Detection on SQL databases is set to Off - Azure SQL Database with Threat Retention less than or equals to 90 days
Prisma Cloud Remediation - Azure Storage Blob Misconfiguration	This playbook remediates the following Prisma Cloud Azure Storage blob alerts. Prisma Cloud policies remediated: - Azure storage account has a blob container with public access - Azure storage account logging for blobs is disabled
Prisma Cloud Remediation - Azure Storage Misconfiguration	Deprecated. Use Prisma Cloud Remediation - Azure Storage Misconfiguration v2 instead. This playbook remediates Prisma Cloud Azure Storage alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure storage account has a blob container with public access - Azure storage account logging for blobs is disabled - Azure Storage Accounts without Secure transfer enabled - Azure storage account logging for queues is disabled - Azure storage account logging for tables is disabled #95
Prisma Cloud Remediation - Azure Storage Misconfiguration v2	This playbook remediates Prisma Cloud Azure Storage alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - Azure storage account has a blob container with public access - Azure storage account logging for blobs is disabled - Azure Storage Accounts without Secure transfer enabled - Azure storage account logging for queues is disabled - Azure storage account logging for tables is disabled
Prisma Cloud Remediation - GCP Compute Engine Misconfiguration	Deprecated. Use Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 instead. This playbook remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP VM instances have serial port access enabled - GCP VM instances have block project-wide SSH keys feature disabled - GCP VM instances without any custom metadata information
Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2	This playbook remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP VM instances have serial port access enabled - GCP VM instances have block project-wide SSH keys feature disabled - GCP VM instances without any custom metadata information.
Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration	This playbook remediates the following Prisma Cloud GCP Kubernetes Engine Cluster alerts. Prisma Cloud policies remediated: GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled GCP Kubernetes Engine Clusters have HTTP load balancing disabled GCP Kubernetes Engine Clusters have Legacy Authorization enabled GCP Kubernetes Engine Clusters have Master authorized networks disabled GCP Kubernetes Engine Clusters have Network policy disabled GCP Kubernetes Engine Clusters have Stackdriver Logging disabled GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled GCP Kubernetes Engine Clusters have binary authorization disabled GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled GCP Kubernetes cluster intra-node visibility disabled
Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration	Deprecated. Use Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 instead. This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled GCP Kubernetes Engine Clusters have HTTP load balancing disabled GCP Kubernetes Engine Clusters have Legacy Authorization enabled GCP Kubernetes Engine Clusters have Master authorized networks disabled GCP Kubernetes Engine Clusters have Network policy disabled GCP Kubernetes Engine Clusters have Stackdriver Logging disabled GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled GCP Kubernetes Engine Clusters have binary authorization disabled GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled GCP Kubernetes cluster intra-node visibility disabled
Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2	This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled GCP Kubernetes Engine Clusters have HTTP load balancing disabled GCP Kubernetes Engine Clusters have Legacy Authorization enabled GCP Kubernetes Engine Clusters have Master authorized networks disabled GCP Kubernetes Engine Clusters have Network policy disabled GCP Kubernetes Engine Clusters have Stackdriver Logging disabled GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled GCP Kubernetes Engine Clusters have binary authorization disabled GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled GCP Kubernetes cluster intra-node visibility disabled.
Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration	This playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts. Prisma Cloud policies remediated: - GCP Firewall rule allows internet traffic to FTP port (21) - GCP Firewall rule allows internet traffic to HTTP port (80) - GCP Firewall rule allows internet traffic to MongoDB port (27017) - GCP Firewall rule allows internet traffic to MySQL DB port (3306) - GCP Firewall rule allows internet traffic to Oracle DB port (1521) - GCP Firewall rule allows internet traffic to PostgreSQL port (5432) - GCP Firewall rule allows internet traffic to RDP port (3389) - GCP Firewall rule allows internet traffic to SSH port (22) - GCP Firewall rule allows internet traffic to Telnet port (23) - GCP Firewall rule allows internet traffic to DNS port (53) - GCP Firewall rule allows internet traffic to Microsoft-DS port (445) - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139) - GCP Firewall rule allows internet traffic to POP3 port (110) - GCP Firewall rule allows internet traffic to SMTP port (25) - GCP Default Firewall rule should not have any rules (except http and https) - GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Misconfiguration	Deprecated. Use Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2 instead. This playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP project is using the default network - GCP Firewall rule allows internet traffic to FTP port (21) - GCP Firewall rule allows internet traffic to HTTP port (80) - GCP Firewall rule allows internet traffic to MongoDB port (27017) - GCP Firewall rule allows internet traffic to MySQL DB port (3306) - GCP Firewall rule allows internet traffic to Oracle DB port (1521) - GCP Firewall rule allows internet traffic to PostgreSQL port (5432) - GCP Firewall rule allows internet traffic to RDP port (3389) - GCP Firewall rule allows internet traffic to SSH port (22) - GCP Firewall rule allows internet traffic to Telnet port (23) - GCP Firewall rule allows internet traffic to DNS port (53) - GCP Firewall rule allows internet traffic to Microsoft-DS port (445) - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139) - GCP Firewall rule allows internet traffic to POP3 port (110) - GCP Firewall rule allows internet traffic to SMTP port (25) - GCP Default Firewall rule should not have any rules (except http and https) - GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2	This playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP project is using the default network - GCP Firewall rule allows internet traffic to FTP port (21) - GCP Firewall rule allows internet traffic to HTTP port (80) - GCP Firewall rule allows internet traffic to MongoDB port (27017) - GCP Firewall rule allows internet traffic to MySQL DB port (3306) - GCP Firewall rule allows internet traffic to Oracle DB port (1521) - GCP Firewall rule allows internet traffic to PostgreSQL port (5432) - GCP Firewall rule allows internet traffic to RDP port (3389) - GCP Firewall rule allows internet traffic to SSH port (22) - GCP Firewall rule allows internet traffic to Telnet port (23) - GCP Firewall rule allows internet traffic to DNS port (53) - GCP Firewall rule allows internet traffic to Microsoft-DS port (445) - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139) - GCP Firewall rule allows internet traffic to POP3 port (110) - GCP Firewall rule allows internet traffic to SMTP port (25) - GCP Default Firewall rule should not have any rules (except http and https) - GCP Firewall with Inbound rule overly permissive to All Traffic
Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration	This playbook remediates the following Prisma Cloud GCP VPC Network Project alerts. Prisma Cloud policies remediated: - GCP project is using the default network
Prisma SASE - Add IPs to Static Address Group	This playbook appends a Static Address Group with provided IPs.
Prisma SASE - Block IP	This playbook assists in blocking communication with the provided IPs in the Prisma SASE policy. If a group name is provided, the IPs will be added to the mentioned static address group (there should be a rule associated with the group name to block communication with that group). And if the group name is not provided, a new group will be created with a dedicated rule to block communication with those IPs.
Prisma SASE - Block URL	The playbook will handle the operation of blocking a URL within the organization. If a category is provided, the URL will be added to the list. If not, a new URL category will be created, and a new security rule that blocks that category.
Prisma SASE - Create a security pre-rule for EDL	This playbook helps to create a security rule to block indicators from an EDL. This playbook should run only once to setup the EDL object and its rule.
Prisma SASE - Create Address Object	This playbook creates new address objects in the Prisma SASE Object section. Those objects can be used later on in other objects such as Security Rules.
Prisma SASE - Create or Edit EDL object	This playbook helps to create an EDL object within the Prisma SASE Objects section.
Prisma SASE - Create or Edit Security Policy Rule	This playbook handles the creation or editing of the Security Policy Rule for Prisma SASE integration.
Prisma SASE - Quarantine a SentinelOne Host With Active Threat	## Goal This playbook is designed to automatically quarantine a SentinelOne host in response to a new threat incident trigger using Prisma SASE. ## Playbook Flow - Trigger: The playbook activates upon the creation of a new SentinelOne Threat incident. - Process: 1. Retrieves the Host ID from Cortex Data Lake. 2. Loads detailed information about the agent. 3. If the Host ID is found and the agent is not decommissioned, it initiates quarantine through Prisma SASE. ## Dependencies and Configuration - This playbook requires being set as the default in the SentinelOne instance configuration. - It specifically responds to events categorized as 'Threats'. - Ensure that the Prisma SASE, Cortex Data Lake and SentinelOne integrations are properly configured and operational for seamless execution of this playbook.
Proactive Threat Hunting	This playbook is the main playbook of the 'Proactive Threat Hunting' pack. It automatically runs during a new hunting session and guides the threat hunter through the session based on the selected hunting method. The available hunting methods are: - SDO Hunt: Constructs the hunting hypothesis based on SDO indicators (Campaign, Malware, Intrusion Set). - Freestyle Hunt: Allows the threat hunter to provide their own queries and IOCs for hunting.
Proactive Threat Hunting - Block Account	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking a user specified by the analyst.
Proactive Threat Hunting - Block Indicators	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking indicators specified by the analyst.
Proactive Threat Hunting - Endpoint Isolation	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of isolating a host specified by the analyst.
Proactive Threat Hunting - Entity Enrichment	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of enriching information on hosts and users specified by the analyst.
Proactive Threat Hunting - Execute Query	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of executing a query that will be provided by the analyst. The playbook supports executing a query using the following integrations: - Cortex XDR XQL Engine - Microsoft Defender For Endpoint
Proactive Threat Hunting - Quarantine File	This playbook will be executed from the “Proactive Threat Hunting” layout button with the objective of quarantining a file specified by the analyst. The following integration is supported: - Cortex XDR IR
Proactive Threat Hunting - SDO Threat Hunting	This playbook will be executed when the analyst chooses to perform SDO hunting. The playbook receives an SDO type indicator and executes the following steps: - Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs. - Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook. - Searches attack patterns that are related to the SDO indicator. - Searches LOLBAS tools that are related to the found attack patterns. - Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.
Process Email - Add custom fields	Deprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields
Process Email - Core	Deprecated. Use Process Email - Core v2 instead.
Process Email - Core v2	This playbook adds email details to the relevant context entities and handles the case where original emails are attached.
Process Email - EWS	Process an EWS email
Process Email - Generic	Deprecated. Use Process Email - Generic v2 instead.
Process Email - Generic v2	This playbook adds email details to the relevant context entities and handles original email attachments. The v2 playbook enables parsing email artifacts more efficiently, including: - Using incident fields and not incident labels. - Providing separate paths to "Phishing Alerts". - Using the new "Get Original Email - Generic v2" playbook to retrieve original emails as EML files from the following integrations: EWS v2 Microsoft Graph Mail integration Gmail FireEye EX and FireEye CM Proofpoint Protection Server Agari Phishing Defense (EWS v2, MSGraph Mail, Gmail) * Mimecast.
Process Incident - Vectra Detect	This playbook is used to initiate the processing of an incident. This playbook runs when a pending incident is selected for investigation. It will change the state from pending to active and it will list the available users in Vectra and request the user ID to use for assignment. Once the data collection is complete, it will call the Dispatch Incident - Vectra Detect playbook.
Process Incident - Vectra XDR	This playbook is used to initiate the processing of an incident. This playbook runs when a pending incident is selected for investigation. It will change the state from pending to active and it will list the available users in Vectra and request the user ID to use for assignment. Once the data collection is complete, it will call the Dispatch Incident - Vectra XDR playbook.
Process Microsoft's Anti-Spam Headers	This playbook stores the SCL, BCL, and PCL scores if they exist to the associated incident fields (Phishing SCL Score, Phishing PCL Score, and Phishing BCL Score). It also does the following: 1) Sets the email classification to "spam" if the SCL score is equal to or greater than 5. 2) Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs: - PCL (Phishing Confidence Level) For a score between and including 4-8: The message content is likely to be phishing. - BCL (Bulk Complaint Level) For a score between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. For a score between and including 8-9: The message is from a bulk sender that generates a high number of complaints. - SCL (Spam Confidence Level) For a score between and including 5-6: Spam filtering marks the message as spam. For a score of 9: Spam filtering marks the message as high confidence spam. See anti-spam stamps.
Process QWatch Alert - Qintel	Extracts exposure records from a QWatch alert
Process Survey Response	Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is in beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. This playbook processes the survery responses. It updates that the employee responded to the survey and what their health status is. If necessary, it opens IT or HR incidents, and updates the process survey tracker.
Proofpoint TAP - Event Enrichment	This playbook enriches Proofpoint Targeted Attack Protection (TAP) incidents with forensic evidence. By utilizing the 'proofpoint-get-forensics' command, the playbook retrieves forensic evidence based on the campaign ID and threat ID detected in the Proofpoint TAP incidents.
PS Remote Get File Sample From Path	This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire a file as forensic evidence for further analysis.
PS-Remote Acquire Host Forensics	This playbook allows the user to gather multiple forensic data from a Windows endpoint including network traffic, MFT (Master File Table), and registry export by using the PS Remote automation which enables connecting to a Windows host without the need to install any 3rd-party tools using just native Windows management tools.
PS-Remote Get MFT	This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the MFT (Master File Table) as forensic evidence for further analysis.
PS-Remote Get Network Traffic	This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host. It then connectst to the Netsh tool to create an ETL file which is the equivalent of a Wireshark PCAP file by using the PS-Remote integration. After receiving the resultant ETL, XSOAR will be able to convert the ETL to a PCAP file to be parsed and enriched later. Review the Microsoft documentation for how to use ETL filters (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)#using-filters-to-limit-etl-trace-file-details).
PS-Remote Get Registry	This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the registry as forensic evidence for further analysis. The capture can be for the entire registry or for a specific hive or path.
Pull Request Creation - AzureDevOps	This playbook creates a pull request using the AzureDevOps integration.
Pull Request Creation - Bitbucket	This playbook creates a pull request using Bitbucket integration.
Pull Request Creation - Generic	This playbook creates a pull request from the content zip file.
Pull Request Creation - Github	This playbook creates a pull request using Github integration.
Pull Request Creation - GitLab	This playbook creates a pull request using GitLab integration.
QRadar - Get offense correlations	Deprecated. Use the `QRadar - Get offense correlations v2` instead.\"\nRun on a QRadar offense to get more information\n\n Get all correlations relevant to the offense\n Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n GetCorrelationLogs (default - False)\n MaxLogsCount (default - 20)
QRadar - Get offense correlations v2	Deprecated. Use the "QRadar - Get Offense Logs" playbook instead. Run on a QRadar offense to get more information: Get all correlations relevant to the offense Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True") Inputs: GetCorrelationLogs (default: False) MaxLogsCount (default: 20)
QRadar - Get Offense Logs	Works for QRadar integration version 3, v1 and v2 are deprecated. Note: You can use the integration to fetch the events with the offense however it will fetch the events according to the specified limit defined in the instance settings. By using this playbook you can define an additional search to query a larger number of logs. Default playbook inputs use the QRadar incident fields such as idoffense, starttime. These fields can be replaced but need to point to relevant offense ID and starttime fields.
QRadar Build Query and Search	The QRadar Build Query and Search playbook creates an AQL query for the QRadar SIEM using the QRadarCreateAQLQuery automation queries. Complex queries take into consideration several inputs and allow including or excluding each of the values as well as performing a full or partial search. Each of the values can be searched across several fields. The playbook supports 3 separate conditions to be evaluated. For example, in the first condition, inputs will evaluate several user names that may or may not exist in several fields. The second input, can for example, evaluate for IP addresses in several fields that may or may not exist in several fields, and a third value can search for an event ID that may or may not exist in several fields. The results of all of the inputs will create an AQL query that covers all of the inputs combining all of the different conditions. Each of the inputs is validated so in case the inputs are not set correctly, the user can review and run them again. Also, populated inputs will be combined, meaning by populating the first and second values the resulting AQL query will be a combination of all of the values and not 3 separate searches. In addition, make sure to populate the inputs in order according to the indexed fields in QRadar (indexed fields should be provided before non indexed ones).
QRadar Generic	The QRadar Generic playbook is executed for the QRadar Generic incident type. It performs all the common parts of the investigation, including notifying the SOC, enriching data for indicators and users, calculating severity, assigning incidents, and notifying the SIEM admin about false positives.
QRadar Get Hunting Results	This playbook is used to sort the QRadar search results to display the IP addresses, assets, and usernames that the search provided. In addition, the results allow you to differentiate between internal and external IP addresses as well as query the QRadar assets API in order to get the assets details from the IP addresses. You can provide the QRadar fields names and the organizations' IP ranges in order to properly sort the data. The end result of the playbook will be the internal and external IP addresses detected as well as the assets and users.
QRadar Indicator Hunting V2	The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls.
QRadarCorrelationLog	Deprecated. Use the "QRadar - Get Offense Logs"\ \ playbook instead. This playbook retrieves the correlation logs of multiple QIDs.
QRadarFullSearch	Deprecated.Use the following command instead `qradar-search-retrieve-results`. This playbook runs a QRadar query and return its results to the context.
Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration	Playbook to handle incident triggered from PANW Iot (Zingbox) UI to quarantine a device in Cisco ISE.
Query Cisco Stealthwatch Flows	This playbook runs a query on Cisco Stealthwatch flows and return its results to the context.
Query using Sigma rules	An example playbook on how to query Sigma rules from within TIM and query a SIEM/EDR.
Ransomware Advanced Analysis	This playbook detects the ransomware type and searches for available decryptors. The playbook uses the ID-Ransomware service, which allows you to detect the ransomware using multiple methods.
Ransomware Enrich and Contain	This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extract the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.
Ransomware Exposure - RiskSense	The ransomware exposure playbook reveals an organization's exposure to the specific vulnerabilities that are being exploited to launch ransomware attacks.
Ransomware Playbook - Manual	Master playbook for ransomware incidents. This playbook is a manual playbook.
Ransomware Response	This playbook handles ransomware alerts based on the Cortex XDR Traps module signature 'Suspicious File Modification' Attacker’s Goals: An attacker is attempting to encrypt the victim files for either extortion or destruction purposes. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions: The playbook’s first response action is a remediation plan which includes two sub-playbooks, Containment Plan and Eradication Plan, which is based on the initial data provided within the alert. In that phase, the playbooks will execute: Auto endpoint isolation Auto block indicators Auto file quarantine Auto user disable Auto process termination Next, the playbook executes an enrichment and response phase which includes two sub-playbooks, Ransomware Enrich and Contain & Account Enrichment - Generic v2.1. The Ransomware Enrich and Contain playbook does the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extracts the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints. Next, an advanced analysis playbook, which is currently done mostly manually, will be executed. This sub-playbook, Ransomware Advanced Analysis allows the analyst to upload the ransomware note and for the ransomware identification. Using the ID-Ransomware service, the analyst will be able to get the ransomware type and the decryptor if available. When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan sub-playbook, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation Finally, the recovery phase is executed. If the analysts decides to continue with the investigation rather than recover and close the alert, a manual task with CISA official ransomware investigation checklist is provided for further investigation. External resources: MITRE Technique T1486 CISA Ransomware Guide
Rapid Breach Response - Set Incident Info	This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.
Rapid IOC Hunting Playbook	Deprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files.
Rapid ransomware containment - Illumio	Isolate one or more workloads based on traffic flows to a given port/protocol.
Rapid7 - Nexpose - Enrichment	Given an IP address, this playbook searches Rapid7 Nexpose assets for an asset with the associated IP address to retrieve asset information and proceeds to return all associated tags with it.
Rapid7 InsightIDR - Execution Flow Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for execution flow indicators, including registry values, registry keys, registry hives, commands, processes name, and applications. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - File Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for file indicators, including MD5 hashes, SHA256 hashes, SHA1 hashes, file names, file types, and file paths. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - HTTP Requests Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for indicators associated with HTTP requests, including HTTP request methods, user agents, URIs, and Ja3. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Rapid7 InsightIDR - Indicators Hunting	This playbook facilitates threat hunting and detection of IOCs within Rapid7 InsightIDR SIEM logs utilizing four sub-playbooks. The sub-playbooks query Rapid7 InsightIDR SIEM for different indicators including files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: - MD5 - SHA1 - SHA256 - IP Address - URLDomain - Registry Value - Registry Key - Registry Hives - Command Line - File Name - Process Name - HTTP Request Methods - User Agent - Port Number - File Path - Geolocation - Email Address - CIDR - URI - Ja3 - FileType
Rapid7 InsightIDR - Traffic Indicators Hunting	This playbook queries Rapid7 InsightIDR SIEM for traffic indicators, including URLs, domains, ports, IP addresses, IP ranges (CIDR), email addresses, and geolocations. Note that multiple search values should be separated by commas only (without spaces or any special characters).
RDP Bitmap Cache - Detect and Hunt	## Playbook: Automated Collection and Forensic Analysis of RDP Sessions Cache Data This playbook automates the collection and forensic analysis of RDP sessions cache data. It involves the following steps: ### Step 1: Collect Cache Files and Convert to Image The first step is to collect the cache files from RDP sessions and convert them into an image format. ### Step 2: Extract Readable Text from the Image Once the cache files are converted into an image, the playbook extracts readable text from the image to facilitate analysis. ### Step 3: Build Indicators of Compromise (IOCs) from Text In this step, the extracted text is used to build indicators of compromise (IOCs) for further investigation and threat hunting. ### Step 4: Enrich Extracted Indicators for Further Hunting Finally, the playbook enriches the extracted indicators by adding additional context and information, enhancing their usefulness for further hunting and analysis. > Note: It is important to customize and adapt this playbook to fit specific use cases and environments. Additionally, ensure compliance with legal and privacy requirements when collecting and analyzing data. Feel free to modify and enhance this playbook according to your requirements.
Reco - Reduce Risk - Google Publicly Exposed Files	The "Reco - Reduce Risk - Google Publicly Exposed Files" playbook aims to identify and mitigate the risk associated with publicly exposed sensitive files on Google Drive. It follows a sequence of tasks to detect such files, analyze their locations, and remove the "anyone with link" permission to enhance data security.
Reco Build String Message	Build a string message from list of files (file name, link)
Reco Google Drive Automation	Automate Google Drive alert remediation with our solution that revokes over-access permissions and shares file details and links with end-users via Slack. Reco workflow seamlessly integrates with Palo Alto Networks' Demisto platform to resolve the alert and streamline your organization's security operations. By automating remediation, you can ensure that sensitive data is protected and that end-users are promptly notified of any changes to their file access. With our solution, you can close alerts in Demisto and improve your organization's security posture with minimal effort.
Reco-Google-Drive-Revoke-Permissions	This workflow enables you to easily list the permissions of files stored in Google Drive, giving you visibility into who has access to your organization's data. If a file's permission is publicly exposed, the workflow restricts access to the file to prevent unauthorized use. Similarly, if a file's permission is set to accessible by all org users and shared with internal users, access to the file is restricted to authorized users only. Using the Google Drive API and built-in conditional logic, this workflow helps you secure sensitive data and streamline your organization's data management.
Recorded Future - Identity Exposure	This playbook was developed as a template response when an Identity Exposure Playbook Alert has been triggered.
Recorded Future - Threat Actor Search	Template playbook to initiate an Automated Threat Hunt based on the Threat Map in Recorded Future. The Playbook fetches links related to the Threat Actors part of the Threat Map from Recorded Future and launches a hunt in the SIEM for any detections within the environment.
Recorded Future CVE Intelligence	CVE enrichment using Recorded Future intelligence
Recorded Future CVE Reputation	CVE reputation with Recorded Future SOAR enrichment
Recorded Future Detailed Alert example
Recorded Future Domain Abuse	This playbook was developed as a template to handle the ingestion of Recorded Future Domain Abuse playbook alerts.
Recorded Future Domain Intelligence	Domain enrichment using Recorded Future intelligence
Recorded Future Domain Reputation	Domain reputation using Recorded Future SOAR enrichment
Recorded Future Entity Enrichment	Template playbook to incorporate Recorded Future enrichment for IPs, Hashes, Domains, URLs into your current workflows. Playbook also shows how to look up available 'Links' data for IOCs.
Recorded Future External Usecase	Deprecated. Use Recorded Future - Identity Exposure instead. Implements an external usecase for Recorded Future Identity Data
Recorded Future File Intelligence	File enrichment using Recorded Future intelligence
Recorded Future File Reputation	File reputation using Recorded Future SOAR enrichment
Recorded Future Identity - Create Incident (sub)	Deprecated. Use Recorded Future - Identity Exposure instead. This playbook was developed as a sub-playbook to generate incidents for each exposed identity found in the Recorded Future Identity - Lookup Identities (parent) playbook.
Recorded Future Identity - Identity Found (incident)	Deprecated. Use Recorded Future - Identity Exposure instead. This playbook was developed as a template response when an Identity has been found and a Recorded Future Identity Incident has been created.
Recorded Future Identity - Lookup Identities (parent)	Deprecated. Use Recorded Future - Identity Exposure instead. This playbook was developed as a template to look up exposed identities and generate incidents if they exist; it can be used within a job.
Recorded Future IOC Reputation	Entity Reputation using sub-playbooks
Recorded Future IP Intelligence	IP Address Enrichment using Recorded Future Intelligence
Recorded Future IP Reputation	IP address reputation using Recorded Future SOAR enrichment
Recorded Future Leaked Credential Alert Handling	Template playbook showing suggested steps to triage leaked credential alerts. Classifier/Mapper are available to ingest Recorded Future Leaked Credential Alerts.
Recorded Future List Management	Manage, view, and edit your lists in Recorded Future.
Recorded Future Playbook Alert Details	A default playbook to fetch details of Playbook alert that does not yet have mapping made by Recorded Future
Recorded Future Sandbox	Template playbook utilizing Hatching.io to sandbox a given file and generate an analysis report. Indicators from the given report are then extracted and enriched with Recorded Future data.
Recorded Future Threat Assessment	Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing.
Recorded Future Typosquat Alert Handling	Template playbook showing suggested steps to triage typo squat alerts. Classifier/Mapper are available to ingest Recorded Future Typo squat Alerts.
Recorded Future URL Intelligence	URL Enrichment using Recorded Future intelligence
Recorded Future URL Reputation	URL reputation using Recorded Future SOAR enrichment
Recorded Future Vulnerability	This playbook was developed as a template to handle the ingestion of Recorded Future Cyber Vulnerability playbook alerts.
Recorded Future Vulnerability Alert Handling	Template playbook showing suggested steps to triage new critical vulnerability alerts. Playbook include New and Critical CVEs. Classifier/Mapper are available to ingest Recorded Future New, Critical or Pre NVD Vulnerability Alerts.
Recorded Future Workforce Usecase	Deprecated. Use Recorded Future - Identity Exposure instead. Implements an workforce usecase for Recorded Future Identity Data
Recovery Plan	This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks: Unisolate endpoint Restore quarantined file Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Registry Parse Data Analysis	This playbook leverages the RegistryParse automation to perform registry analysis and extract forensic artifacts. The automation includes common registry objects to extract which are useful for analyzing registry, or a user provides registry path to parse.
Remediate Message - Agari Phishing Defense	Remediates a given message id.
Remote PsExec with LOLBIN command execution alert	The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: - Check if the execution is blocked. If not will terminate the process (Manually by default). - Enrich any entities and indicators from the alert and find any related campaigns. - Perform command analysis to provide insights and verdict for the executed command. - Perform further endpoint investigation using XDR. - Checks for any malicious verdict found to raise the severity of the alert. - Perform Automatic/Manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’. It depends on the data from the parent playbooks and can not be used as a standalone version.
Remote WMI Process Execution	This playbook addresses the following alerts: Remote WMI process execution Suspicious remote WMI process execution Playbook Stages: Analysis: Enrich the attacker’s IP address to identify any known malicious activity. Retrieve all incident-related alerts to consolidate context for further analysis. Investigation: Analyze command-line activity to assess risks based on suspicious patterns. Check for high-confidence evidence, such as malicious IP addresses or suspicious command-line activity, to determine the next course of action. Evaluate medium-confidence detections and request analyst approval for further containment if required. Containment: Attempt to terminate the malicious process tree using its causality ID. Provide guidance for manual process termination if the automated action fails. Propose endpoint isolation to prevent further compromise if malicious activity is confirmed.
Remove Employees from Departing Employee Watchlist	Loops through Departing Employee watchlist entries from Code42 Incydr and removes employees based on specified criteria.
Remove Employees from New Hire Watchlist	Loops through New Hire watchlist entries from Code42 Incydr and removes employees based on specified criteria.
Report Categorization - Cofense Triage v3	Report Categorization playbook investigates reports that are unprocessed or uncategorized on Cofense Triage as incident alerts in XSOAR and categorizes them based on the severity of the incident.
Reset User Password via Chatbot	This playbook resets the password of an Active Directory or Okta user. The process is as follows: 1. A user requests a password reset using a chatbot in Slack or in Microsoft Teams. 2. The playbook optionally seeks approval to reset the user's password from the relevant stakeholder, or from the user's manager. The request will be available for approval/disapproval for 1 hour. If not processed within that time, it will be disapproved. 3. If the reset was approved, the playbook optionally verifies the user using 2-factor authentication, from the user's available 2FA methods on Okta. 4. If the reset is verified, a new password will be created while meeting the complexity requirements of the organization. 5. The user's password will be reset and set to the newly generated password. The user will be forced to change their password on next login. 6. The new user's password will be placed inside a password-protected ZIP (protected by a different password). 7. The encrypted ZIP file that contains the new password for the user will be sent to the user via email. 8. The password for the ZIP file that contains the new user's password, will be sent to the requesting user through Slack or Teams. This playbook is intended for use with Slack or Teams. In order to use it, please make sure that you have a classifier and mapper in place. The classifier should create a Password Reset via Chatbot incident, while the mapper should map the email of the user to the Reporter Email Address field. This playbook assumes that the user requesting the password reset has the same email in Slack / Teams, and in Active Directory / Okta.
Residents Notification - Breach Notification	This playbook is triggered by a breach notification playbook and is responsible for the resident notification process.
Retrieve Alert Attachments - Rapid7 ThreatCommand	This playbook is used by default for the Rapid7 ThreatCommand alerts being ingested as XSOAR incidents. This playbook retrieves attachments (CSV file and images) using the Alert ID incident field.
Retrieve Alerts For IOCs - Dataminr Pulse	This playbook is used to fetch alerts from Dataminr Pulse, which will be based on the given input text. First, it will extract indicators from the input text, then it will use extracted indicators to retrieve alerts from Dataminr Pulse. After that, it will store related alerts in the context.
Retrieve Asset Details - Lansweeper	Get contextual information of asset based on IP/MAC from Lansweeper.
Retrieve Email Data - Agari Phishing Defense	Retrieve Email Data from one of the Integrations of Gmail, Mail Listener v2, EWS O365, Microsoft Graph Mail.
Retrieve File from Endpoint - Generic	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. This playbook retrieves a file sample from an endpoint using the following playbooks: - Get File Sample From Path - Generic - Get File Sample By Hash - Generic v2
Retrieve File from Endpoint - Generic V2	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. 'This playbook retrieves a file sample from an endpoint using the following playbooks:' - Get File Sample From Path - Generic v2. - Get File Sample By Hash - Generic v3.
Retrieve File from Endpoint - Generic V3	'This playbook retrieves a file sample from an endpoint using the following playbooks:' - Get File Sample From Path - Generic v2. - Get File Sample By Hash - Generic v3.
Retrieve Related Alerts - Dataminr Pulse	This playbook is used to fetch related alerts for Dataminr Pulse. The information required to fetch related alerts will be used from the incident s alert ID for which the playbook is going to run. After that, it will store them in the context.
RiskIQAsset Basic Information Enrichment - RiskIQ Digital Footprint	This playbook receives indicators from its parent playbook and enriches the basic information and the detected CVEs for the "RiskIQAsset" type of indicators. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators. Supported Integrations: - RiskIQ Digital Footprint - VulnDB - CVE Search - IBM X-Force
RiskIQAsset Enrichment - RiskIQ Digital Footprint	Enriches the "RiskIQAsset" type of indicators with basic information and CVEs detected for the asset, performs a vulnerability scan for "Host" and "IP Address" type of assets, and enriches received information in the context as well as provides the user to add to allow list a list of "IP Address" type of assets. This playbook also enriches the detected CVEs. To select the indicators you want to enrich, go to playbook inputs, choose "from indicators" and set your query. For example type:RiskIQAsset etc. The default playbook query is "type:RiskIQAsset". In case indicators with specific "riskiqassettype" are to be enriched, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integrations' API license when running for large amounts of indicators. Supported integrations: - RiskIQ Digital Footprint - Tenable.io - Google Cloud Compute - AWS - EC2 - Okta v2
RSS Create Indicators From Report	The playbook: 1. Extracts indicators from Threat intel reports. 2. Creates relationships between the extracted indicators and the report. 3. Runs enrich indicators command on the extracted indicators. Cortex XSOAR recommends that you configure a job to execute this playbook. 1. Configure a job that will run the RSS Create Indicators From Report playbook. 1. Select the Triggered by delta in feed option. 2. Select the feed on which to run the job. 2. Configure input to the RSS Create Indicators From Report playbook: - From the context data input: Tag name - the indicator will be tagged with this value when the playbook finishes processing and all the indicators are extracted and relationships created. - From the indicators: Create a query to include only new report indicators that were not processed yet. Recommended query: "type:Report -tags:{Tag name configured from the context data input} -tags:in_process". The playbook tags all indicators with the "in_process" tag when it starts running, and removes the tag when the playbook ends. If you want the playbook to run on a specific instance (a specific feed), add the following filter to the query: sourceInstances:"{the selected instance}". Note that if you selected the Triggered by delta in feed option when configuring the Job, the “Run only on new and modified indicators” playbook option is automatically selected.
Rubrik Anomaly Incident Response - Rubrik Polaris	This playbook will investigate an anomaly incident ingested by the integration "RubrikPolaris", enrich its data, and perform a remediation according to the incident's object type.
Rubrik Data Object Discovery - Rubrik Polaris	Data discovery of the object available in the incident.
Rubrik File Context Analysis - Rubrik Polaris	This playbook fetches file context information for the provided file, folder, or file share name and the object ID to get the policy hits.
Rubrik Fileset Ransomware Discovery - Rubrik Polaris	This playbook performs IOC Scan on fileset object. It also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2
Rubrik IOC Scan - Rubrik Polaris	This playbook starts an IOC Scan with the provided IOC values. It can be looped until recoverable snapshots are obtained or the limit to loop is reached.
Rubrik List Snapshots - Rubrik Polaris	List snapshots for all objects.
Rubrik Object Context Analysis - Rubrik Polaris	This playbook will investigate based on the object type from the Rubrik Anomaly incident to retrieve the policy hits of the files related to the object.
Rubrik Polaris - Anomaly Analysis	Monitor the progress of a Rubrik Radar anomaly event and use Rubrik Sonar to check for data classification hits.
Rubrik Poll Async Result - Rubrik Polaris	Poll async result for any asynchronous request made to rubrik.
Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris	This playbook performs an IOC Scan based on the provided inputs, search the recoverable snapshot and performs recovery on the searched recoverable snapshot. This playbook also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2
Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris	Use this playbook to recover a virtual machine using the "RubrikPolaris" integration by either exporting or live-mounting a backup snapshot. This playbook also creates tickets on ServiceNow using "ServiceNow v2" integration. Supported integrations: - RubrikPolaris - ServiceNow v2
Rubrik Retrieve Anomaly Result - Rubrik Security Cloud	This playbook retrieves the list of anomaly files for the provided snapshot ID (or activity series ID) and generates the downloadable links for the file path(s).
Rubrik Retrieve User Access Information - Rubrik Polaris	This playbook retrieves User Intelligence information for the provided username or email, which includes the user's risk level and the types of analyzer hits.
Rubrik Update Anomaly Status- Rubrik Security Cloud	This playbook updates status of the Anomaly Detection snapshot for the provided anomaly ID (or activity series ID) and workload ID (or Object ID).
Rubrik User Access Analysis - Rubrik Polaris	This playbook fetches User Intelligence information for the provided username or email, and then increases the incident severity based on the user risk levels.
Rubrik Workload Analysis - Rubrik Security Cloud	This playbook fetches workload information for the provided IPs or domains/hostnames, and then increases the XSOAR incident severity based on the workload risk levels and threat information.
Run Panorama Best Practice Assessment (Deprecated)	Deprecated. Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.
Rundeck-job-execute-Generic	This playbook executes a job and exits when it successfully finishes.
Saas Security - Incident Processor	This playbook notifies incidents owner and provides remediation options to Saas Security admin for resolving incidents.
SaaS Security - Remediate an Asset	Take a remediation action over an asset: Use this playbook as a sub-playbook to take a remediation action on an asset. Available remediation actions are 1) Remove public sharing, 2) Quarantine, and 3) Restore. This playbook implements polling by continuously running the `saas-security-remediation-status-get` command to get the remediation status for a given asset ID, until the operation completes. The remote action should have the following structure: 1. Initiate the operation - provide the Asset ID and the remediation action. 2. Poll to check if the operation completed. 3. Get the results of the operation.
Saas Security - Take Action on the Incident	This sub-playbook will send email notification to the Saas Security Admin for taking remediation action on the incident.
SafeBreach - Compare and Validate Insight Indicators	Deprecated. No available replacement.
SafeBreach - Create Incidents per Insight and Associate Indicators	Deprecated. No available replacement.
SafeBreach - Process Non-Behavioral Insights Feed	Deprecated. No available replacement.
SafeBreach - Rerun Insights	Deprecated. No available replacement.
SafeBreach - Rerun Single Insight	Deprecated. No available replacement.
SafeNet Trusted Access - Add to Unusual Activity Group	This playbook adds the user to a group that was created to identify unusual activity. SafeNet Trusted Access policies can be configured to take this into account and provide stronger protection when handling access events from users who are members of the group. The user is added to this group for a configurable period of time.
SafeNet Trusted Access - Terminate User SSO Sessions	This playbook terminates user SSO sessions so that upon the next login attempt following the unlocking of the account, authentication is required.
SailPoint IdentityIQ Disable User Account Access	Checks if the risk score of an identity exceeds a set threshold of 500 and disables the accounts.
Sanitize File - CDR - ThreatZone	Sanitize one file using the ThreatZone CDR integration. Returns relevant reports to the War Room and file reputations to the context data. CDR Scan Extensions: doc, docm, docx, dotm, ppt, pptm, pptx, xls, xlsm, pdf, odc, odt, ott, odp, otp, ods, ots, rtf, tiff, jpeg, png, gif, bmp, webp, jpx, svg, zip, xml, ics, html, lnk, xlsx.
SANS - Incident Handler's Handbook Template	This playbook contains the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler's Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Incident Handlers Checklist	This playbook follows the "Incident Handler's Checklist" described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
SANS - Lessons Learned	This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.
Scan and Isolate - XM Cyber	An example of playbook using data from XM Cyber to help decide about scanning and isolating a threat
Scan Assets - Nexpose	Deprecated. Use the "Scan Site - Nexpose" playbook instead.
Scan Site - Nexpose	Starts a Nexpose scan by site id and waits for the scan to finish by polling its status in pre-defined intervals.
Schedule Task and Poll	This playbook will schedule a specified command and monitor for completion by looking for output in context. Make the playbook context shared globally if you have a command that returns to Context automatically and you have a specific key to monitor. The key monitored must be a single field value and not an array.
Scheduled task created with HTTP or FTP reference	This playbook is designed to handle the alert "Scheduled task created with HTTP or FTP reference". The playbook executes the following stages: Investigation: During the alert investigation, the playbook will perform the following: - Checks the IP and the URL reputation. - Checks the CGO process signature. - Searches for related XDR agent alerts to determine if the creation of the scheduled task is part of an attack pattern. Remediation: - Remediation actions will be taken if the CGO process is unsigned, the IP or URL has a malicious reputation, or a related alert is detected. In these cases, the playbook will disable the scheduled task, block the malicious indicators, and close the alert. Requires: To block the malicious URL and IP, configure 'Palo Alto Networks PAN-OS' integration.
Search all mailboxes - Gmail with polling	This playbook searches Gmail records for all Google users, designed for large companies with over 2500 Google users.
Search And Block Software - Generic	This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block. The following integrations are supported: - Cortex XDR XQL Engine - Microsoft Defender For Endpoint
Search and Compare Process Executions - Generic	This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations: - Cortex XDR XQL Engine - Cortex XDR IR(Search executions inside XDR alerts) - Microsoft Defender For Endpoint Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: - value: process name - commands: command-line arguments
Search And Delete Emails - EWS	This playbook searches EWS to identify and delete emails with similar attributes of a malicious email.
Search And Delete Emails - Generic	Deprecated. Use `Search And Delete Emails - Generic v2` instead. This playbook searches and delete emails with similar attributes of a malicious email.
Search And Delete Emails - Generic v2	This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: EWS Office 365 Gmail Agari Phishing Defense.
Search And Delete Emails - Gmail	This playbook searches Gmail to identify and delete emails with similar attributes to the malicious email.
Search Endpoint by CVE - Generic	Hunt for assets with a given CVE using available tools
Search Endpoints By Hash - Carbon Black Protection	Hunt for endpoint activity involving hash IOCs, using Carbon Black Protection.
Search Endpoints By Hash - Carbon Black Response	Deprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black.
Search Endpoints By Hash - Carbon Black Response V2	Hunt for malicious indicators using Carbon Black
Search Endpoints By Hash - CrowdStrike	Deprecated. Use CrowdStrike Falcon instead.
Search Endpoints By Hash - Cybereason	Hunt for endpoint activity involving hash, using Cybereason.
Search Endpoints By Hash - Generic	Deprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools
Search Endpoints By Hash - Generic V2	Hunt using available tools
Search Endpoints By Hash - TIE	Hunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well). Input: Hash (default, takes all deferent hashes from context) Output: All agents that files with "Hash" has been executed on (TIE) * Enrich Agents info from ePO
Search For Hash In Sandbox - Generic	This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently, supported sandboxes are Falcon Intelligence Sandbox, Wildfire and Joe Sandbox.
Search in mailboxes Gmail (Loop) with polling	This playbook should only run as a sub-playbook for the Search-all-mailboxes - Gmail playbook, it should not run alone.
Search LOLBAS Tools By Name	This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS.
Send Indicators - Cofense Triage v3	Send Indicators playbook is used to create or update threat indicators in Cofense Triage that have been identified as malicious or suspicious by the analysis.
Send Investigation Summary Reports	This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.
Send Investigation Summary Reports Job	You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.
Sentinel One - Endpoint data collection	Deprecated. No available replacement.
Sentinel One - Query Endpoints	Runs Query on Endpoints for SHA1 values
Service Desk Plus - Generic Polling	This playbook uses generic polling to wait until a request is closed.
ServiceNow - Ticket Management	`ServiceNow - Ticket Management` allows you to open a new ticket or comment on an existing ticket.
ServiceNow Change Management	If you are using a PAN-OS/Panorama firewall and ServiceNow as a ticketing system this playbook is a perfect match for your change management for firewall process. This playbook is triggered by a fetch from ServiceNow and will help you manage and automate your change management process.
ServiceNow CMDB Search	Subplaybook for finding CI records in ServiceNow CMDB.
ServiceNow Ticket State Polling	Use ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
Set RaDark Grid For Compromised Accounts	Set grid for RaDark - Compromised Accounts incidents.
Set RaDark Grid For Credit Cards	Set grid for RaDark - Credit Cards incidents.
Set RaDark Grid For Hacking Discussions	Set grid for RaDark - Hacking Discussions incidents.
Set RaDark Grid For Leaked Credentials	Set grid for RaDark - Leaked Credentials incidents.
Set RaDark Grid For Network Vulnerabilities	Set grid for RaDark - Network Vulnerabilities incidents.
Set RDP Bitmap Cache Overall Score	This playbook sets the RDP bitmap cache overall score
Set Team Members	This playbook will accept a CSV of usernames and / or a CSV of role names (of which to enumerate for usernames) to add to the incidents team members. The playbook will determine the existing owner and ensure that they are replaced as the owner once complete.
Set up a Shift handover meeting	This playbook is used to create an online meeting for shift handover. Currently, this playbook supports Zoom.
Shift handover	This playbook is used to set up shift handover meetings with all the accompanying processes such as creating an online meeting, creating a notification in a integrated chat app (for example Slack), creating a SOC manager briefing, and creating a display of the active incidents, team members who are on-call, and team members who are out of the office. By modifying the playbook inputs you can decide whether to activate the Assign Active Incidents to Next Shift and whether a user who is out of the office will be taken into consideration.
SIEM - Search for Failed logins	This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: -Splunk -QRadar -Azure Log Analytics.
Slack - General Failed Logins v2.1	Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.
SlackBlockBuilderResponseExample	This is an example of how to use the SlackBlockBuilder within a playbook.
Social Engineering Domain Enrichment	Enrich a domain and compare against your registered domain for potential social engineering against your organization.
Social Engineering Domain Investigation	Enrich and Investigate domains which may present a social engineering threat to your organization. Review before blocking potentially dangerous indicators.
SOCRadar Incident	Performs indicator extraction and enrichment from the incident content, calculates the severity level, assigns the incident to a particular analyst, notifies SOCRadar platform for the incident response (to mark it as false positive or resolved) and generates investigation summary report just before closing the investigation in the end. This playbook is executed for the SOCRadar Generic incident type.
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: - Collect indicators to aid in your threat hunting process. - Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). - Retrieve C2 domains and URLs associated with Sunburst. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. - Hunt for the SUNBURST backdoor - Query firewall logs to detect network activity. - Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: - Notify security team to review and trigger remediation response actions. - Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Spear Phishing Investigation	The "Spear Phishing Investigation" playbook is designed to detect patterns that indicates a spear phishing attempt by the attacker.
Splunk Generic	This is a generic playbook to be executed for the Splunk Notable Generic incident type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the incident, notifying the SIEM admin for false positives and more.
Splunk Indicator Hunting	This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.
Spring Core and Cloud Function SpEL RCEs	On March 29, 2022, information about a 0-day vulnerability in the popular Java library Spring Core appeared on Twitter. Spring Framework is an extremely popular framework used by Java developers to build modern applications. If you rely on the Java stack, it is very likely that your development teams use Spring. In some cases, a single specially crafted request is enough to exploit the vulnerability. Later, it was discovered that these are two separate vulnerabilities, one in Spring Core and the other in Spring Cloud Function: CVE-2022-22965 - RCE in "Spring Core" is a severe vulnerability, aka Spring4Shell CVE-2022-22963 - RCE in "Spring Cloud Function SpEL" CVE-2022-22947 - RCE in "Spring Cloud Gateway" Spring Core vulnerability requirements: JDK 9 or higher Apache Tomcat as the Servlet container Packaged as WAR spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions Spring Cloud Function unaffected versions: 3.1.7 3.2.3 This playbook will provide you with a first response kit which includes: Hunting Panorama Prisma Cloud Compute XDR XQL queries - set the playbook input RunXQLHuntingQueries to 'True' if you would like the XQL to be executed via the playbook. XDR Alerts - Search for new incidents including one or more of Spring RCEs dedicated Cortex XDR signatures Remediation Mitigations Note: You can execute this playbook using the Incidents view by creating a new incident or by using a dedicated job to schedule the playbook execution. Additional resources: Spring Framework RCE CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild
SpyCloud - Breach Investigation	SpyCloud Breach playbook gets executed on the occurrence of the incident SpyCloud Breach Data type.
SpyCloud - Malware Incident Enrichment	SpyCloud Malware Playbook executes the spycloud-compass-device-data command when any incident of the SpyCloud Malware Data type is created, and sets the corresponding incident field.
SSL_Certificate_Verification	Demo playbook - takes list of addresses from an XSOAR list, process the status of each SSL certificate, and generate war room and email summary outputs.
SSO Authentication With Suspicious Characteristics	This playbook addresses the following alerts: - SSO authentication attempt with suspicious characteristics. - Successful SSO authentication with suspicious characteristics. Playbook Stages: Triage: - Collect initial information about the user and the SSO authentication event. - Validate whether the authentication proxy is linked to iCloud Relay. Investigation: - Check IOCs Reputation: - Analyze the reputation of IP addresses associated with the alert. - Search Related Alerts: - Look for alerts related to the same user within the system to identify suspicious activity trends. - Check If User Is Risky: - Retrieve the user's risk score and evaluate high-risk indicators for suspicious activities. - Check User Agent: - Identify suspicious user agents used during the authentication attempts. - Check Okta Logs: - Retrieve Okta authentication logs for failed login attempts and suspicious authentication activities within the last day. Containment: - Automatic Actions: - Clear user sessions if any suspicious evidence is found during the investigation. - Analyst Review: - Provide an analyst with findings for review and determine the appropriate action: - No action required. - Suspend the user in Okta. - If the analyst chooses to suspend the user, their active sessions are cleared in Okta. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - Core integration for user risk evaluation and suspicious activity checks. - Okta v2 integration for analyzing authentication logs, clearing sessions, and user suspension. - Any IP reputation integration that supports the `!ip` command for checking IP address reputation.
SSO Brute Force	This playbook addresses the following alerts: - SSO Brute Force Threat Detected - SSO Brute Force Activity Observed Playbook Stages: Triage: - The playbook checks the IP reputation and fetches the events related to the brute force login attempts. Early Containment: - The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP using PAN-OS. The investigation continues in parallel to this phase. Investigation: - The playbook assesses the risk score of the user who successfully logged in after a brute force attempt, examines the legitimacy of the user agent and if the brute force attempt is likely automated based on the timestamp interval. It also verifies if the user has MFA configured when the alert source is Okta. Containment: - If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals indicates that the login attempts is likely automated, the playbook clears the user's session. If the user doesn't have MFA configured, the playbook recommends expiring the user's password. If there is no successful login detected, no action is taken. Requirements: For any response action, you need one of the following integrations: - Microsoft Graph User - Okta v2 For eradication step, you need the following integration: - Palo Alto Networks PAN-OS.
SSO Password Spray	This playbook is designed to handle the following alerts: - SSO Password Spray Threat Detected - SSO Password Spray Activity Observed - SSO Password Spray Involving a Honey User Playbook Stages: Triage: - The playbook checks the IP reputation and fetches the events related to the SSO login attempts. Early Containment: - The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP. Investigation: - The playbook assess the risk score of the user who successfully logged in and examines the legitimacy of the user agent. It verifies if the user has MFA configured and analyzes the timestamps of the login attempts to detect potential malicious automated patterns. Containment: - If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook clears the user's session. If the user doesn't have MFA, the playbook recommends expiring the user's password. Requirements: For any response action, you need one of the following integrations: - Microsoft Graph User - Okta
Stamus Networks - Get Extra Data	Get Extra Information from a Declaration of Compromise
Strata Logging Service - File Indicators Hunting	This playbook queries Strata Logging Service (SLS) for file indicators, including SHA256 hashes, file names, and file types. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Strata Logging Service - Indicators Hunting	The playbook facilitates threat hunting and detection of IOCs within Strata Logging Service logs. The playbook and sub-playbooks query Strata Logging Service for files, traffic, HTTP requests, and execution flows indicators. Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: - SHA256 - IP Addresses - Geolocation - URLDomain - Port Number - File Name - File Type - URI - Application Separate searches are conducted for each type of indicator in the playbook.
Strata Logging Service - Traffic Indicators Hunting	This playbook queries Strata Logging Service (SLS) for traffic indicators, including IP addresses, geolocations, URLs, domains, and ports. Note that multiple search values should be separated by commas only (without spaces or any special characters).
Successful guest user invitation	This playbook addresses the following alert: - Rare successful guest invitation in the organization Playbook Stages: Triage: - Gather initial information about the invited user and associated alerts. Investigation: - Check IOCs Reputation: - Analyze the reputation of IP addresses, email addresses, and domains related to the incident. - Check for Azure Alerts: - Retrieve user Principal Name (UPN). - Extract recent Azure security alerts for the inviting user. - Check if User is Risky: - Assess the risk score of the inviting user based on Core and Azure risk indicators. - Investigate reasons behind any identified risks, including recent detections. Containment: - Provide a manual task for an analyst to review the findings and decide the next steps. - Possible actions: - Disable the invited user. - Disable the inviting user. - Disable both users. - Take no action. - If users are disabled, revoke their active sessions to ensure immediate containment. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: - `Cortex Core - Investigation and Response` for Core user risk evaluation. - `Azure Risky Users` for retrieving user risk scores. - `Microsoft 365 Defender` for advanced hunting queries and Azure security alerts. - `Microsoft Graph User` for disabling accounts and revoking sessions.
Sumo Logic Cloud SIEM - Link Signal Incidents	Playbook to link Sumo Logic Signal Incidents to the corresponding Insight Incident
Suspicious certutil command line	This playbook handles "Suspicious certutil command line" alerts. Playbook Stages: Analysis: During the alert analysis, the playbook will perform the following actions: - Extracts and enriches the URL from the command line. - Checks if the URL reputation is suspicious. - Checks if any process in the causality chain is unsigned. - Checks if any process in the causality chain is non-prevalent. - Searches for Cortex XDR agent alerts related to file drops using certutil. - Checks for any suspicious parameters in the command line (if the command line risk score is medium or higher). If the playbook detects any of these conditions, it will proceed to the early containment stage; otherwise, it will close the alert. Early Containment: - Identify if an agent prevention rule was triggered. If triggered in block mode, proceed with the URL reputation check; otherwise, terminate the causality process tree. Verdict: - Based on the URL's reputation, if found to be malicious, the playbook will perform remediation actions; otherwise, it will close the alert. Remediation: If the URL is found to have a malicious reputation, the playbook will perform the following actions: - Block the malicious URL using PAN-OS (requires analyst approval). - Isolate the endpoint (requires analyst approval). - Execute an XQL query to check for file creation events by the certutil process, and if a file is found, quarantine it (requires analyst approval). - Automatically close the alert. Required Integrations: For response actions, you need the following integrations: - Palo Alto Networks PAN-OS - XQL Query Engine.
Suspicious Domain Hunting Incident Handling	This playbook process "Suspicious Domain Hunting" incidents generated by the CertStream integration.
Suspicious execution from tmp folder	This playbook addresses the following alerts for linux os: - Suspicious process execution from tmp folder - Suspicious interactive execution of a binary from the tmp folder - Suspicious cron job task execution of a binary from the tmp folder - A web server process executed an unpopular application from the tmp folder Playbook Stages: Analysis: - Check target process hash reputation - Check commandline extracted indicators reputation The playbook will proceed directly to remediation if suspicious/Suspicious reputation is found during the analysis stage. Investigation: - Search for the following suspicious insights/related alerts: - Suspicious access to shadow file - UNIX LOLBIN process connected to a rare external host - Persistence through service registration - Adding execution privileges - Modification of systemd service files - Adding execution privileges - Local account discovery If no suspicious reputation is found in the analysis stage, but suspicious insights/related alerts are discovered during investigation, the playbook will then proceed to remediation. Remediation: - Terminate causality process - Quarantine the Suspicious process image file (requires manual approval). - Disable the suspicious cron job task (requires manual action).
Suspicious Hidden User Created	This playbook addresses the following alerts: - Suspicious Hidden User Created Playbook Stages: Triage: - Retrieve event information about the created user Investigation: - Check if the user is local or domain. - For domain users: Retrieve AD attributes, including password expiration. - For local users: Run a Powershell command to get "Password Expires" attribute of the local user. - Get risk level for the affected host. - Search for related Script Engine Activity alerts in the <-incident->. Containment: - For alerts determined to be true positives, suggest to the analyst to disable the user. - Upon analyst approval: Disable the suspicious user account (domain or local). - If a related alert about malicious activity exists, kill the Causality Group Owner (CGO) process that created the suspicious user. Requirements: For response actions, you need the following integrations: - Cortex Core - Investigation and Response - Active Directory Query v2 (for domain user actions).
Suspicious LDAP search query	This playbook is designed to handle the following alerts: - Possible LDAP enumeration by unsigned process. - Suspicious LDAP search query executed. The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: - Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. - Whether the Actor Process Command line contains suspicious arguments. - Checks for the prevalence of the Actor Process Name. - Host risk score is "Medium" or "High". - User risk score is "High". Remediation: - Handles malicious alerts by terminating the causality process. - Handles non-malicious alerts identified during the investigation.
Suspicious Local Administrator Login	This playbook addresses the following alerts: - Suspicious local administrator login Playbook Stages: Investigation: - Retrieves the name of the process image involved in the alert. - Checks for related Powershell/Command and Scripting/WMI alerts in the <-incident->. - Retrieves the host risk score. Containment: - Provide a manual task for an analyst to review the findings and decide the next steps. - Possible actions: - Disable User. - Take no action. Requirements: - For response actions, the following integration is required: Core - IR.
Suspicious process execution by scheduled task on a sensitive server	This playbook handles "Suspicious process execution by scheduled task on a sensitive server" alerts. Playbook Stages: Analysis: - Checks the suspicious process reputation. Investigation: - Searches for related XSIAM agent alerts to identify any malicious activity on the server. Remediation: If the suspicious process reputation is malicious, or if a related alert is found, the following remediation actions will be taken: - Disable the scheduled task responsible for executing the process. - Terminate the malicious process. - Automatically Close the alert.
Suspicious SaaS Access From a TOR Exit Node	This playbook is designed to handle the following alerts: - Suspicious SaaS API call from a Tor exit node - Suspicious SaaS API call from a Tor exit node via a mobile device - Suspicious API call from a Tor exit node - Suspicious Kubernetes API call from a Tor exit node Playbook Stages: Early Containment: - To terminate the connection from the Tor exit node, the playbook will clear/revoke the user's sessions and force re-authentication. Depending on the alert source, the playbook will use either MS-Graph or G-Suite to clear the user sessions. Investigation: - The playbook will assess the risk score of the user connected from the Tor exit node and examine the legitimacy of the user agent. Containment: - If the user's risk score is high or the user agent is detected as suspicious, the playbook will recommend blocking the account connected from the Tor exit node. The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source. Eradication: - For users with PAN-OS enabled, the playbook will recommend blocking all IPs from the Palo Alto Intelligence-based external dynamic list that contains Tor exit nodes. The goal is to prevent the use of Tor within the organization. Requirements: For any response action, you will need one of the following integrations: - Microsoft Graph User - G-Suite Admin - AWS-IAM.
SX - PC - PingCastle Report	This playbook runs when a new report is sent from PingCastle. It then parses it to json and renders a table. It also puts a download link to the xml report in the war room.
Symantec block Email	This playbook will block email address at your email gateway.
T1036 - Masquerading	This playbook handles masquerading alerts based on the MITRE T1036 technique. An attacker might leverage Microsoft Windows well-known image names to run malicious processes without being caught. Attacker's Goals: An attacker is attempting to masquerade as standard windows images by using a trusted name to execute malicious code. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion * Manual reset of the user’s password External resources: MITRE Technique T1036 Possible Microsoft process masquerading
T1059 - Command and Scripting Interpreter	This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. Most systems come with some kind of built-in command line interface and scripting capabilities. For example, macOS and Linux distributions include some form of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. Attacker's Goals: An attacker can abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in initial access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. An attacker may also execute commands through interactive terminals/shells, as well as utilize various remote services to achieve remote execution. Analysis Due to the nature of this technique and the usage of built-in command line interfaces, the first step of the playbook is to analyze the command line. The command line analysis does the following: - Checks and decodes base64 - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage Investigative Actions: The playbook checks for additional activity using the 'Endpoint Investigation Plan' playbook and utilizes the power of insight alerts. Response Actions After analyzing the data, the playbook's first response action is to contain the threat based on the initial data provided within the alert. In this phase, the playbook will: Isolate the endpoint based on playbook inputs. When the playbook proceeds, it checks for additional activity using the 'Endpoint Investigation Plan' playbook. It then continues with the next stage, which includes, containment and eradication. This phase executes the following containment actions: Automatically isolates the endpoint It then continues with the following eradication actions: * process termination
Tag massive and internal IOCs to avoid EDL listing	This playbook tags internal assets and massive IOCs (TLD wildcards and CIDRs) to be avoided by the EDL. The playbook does the following according to indicator type: CIDRs - If the CIDR prefix is larger than the set max prefix it tags it as a `Massive_CIDR` and also with `skip_edl`. TLD Wildcards - If a domainglob is a TLD wildcard (for example, *.net) it will be tagged as `TLD_Wildcard` and also with `skip_edl`. Internal IPs - If an IP is internal and also part of the CIDR configured by the user in the "Internal Assets" list it will be checked as `internal` and tagged with `skip_edl`. Internal Domains - If a domain is a subdomain of the domains configured in the "Internal Assets" list it is checked as `internal` and tagged with `skip_edl`.
Tanium - Ask Question	This playbook used generic polling to gets question result.
Tanium - Get Saved Question Result	This playbook used generic polling to gets saved question result.
Tanium Demo Playbook	Deprecated. No available replacement. This playbook shows how to use automation scripts to interact with Tanium.
Tenable.io Scan	Run a Tenable.io scan
Threat Hunting - Chronicle	Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them. Supported Integrations: - Chronicle - Whois
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk - Qradar - Pan-os - Cortex Data Lake - Autofocus - Microsoft 365 Defender
Ticket Management - Generic	`Ticket Management - Generic` allows you to open new tickets or update comments to the existing ticket in the following ticketing systems: -ServiceNow -Zendesk using the following sub-playbooks: -`ServiceNow - Ticket Management` -`Zendesk - Ticket Management`
TIE - IOC Hunt	Hunt for sightings of MD5, SHA1 and/or SHA256 hashes on endpoints, using McAfee TIE (requires ePO as well). Input: Hash (default, takes all deferent hashes from context) Output: All agents that files with "Hash" has been executed on (TIE) * Enrich Agents info from ePO
TIM - Add All Indicator Types To SIEM	This playbook runs sub playbooks that send indicators to your SIEM. To select the indicators you want to add, go to playbook inputs, choose “from indicators” and set your query. For example tags:approved_black, approved_white etc. The purpose of the playbook is to send to SIEM only indicators that have been processed and tagged accordingly after an automatic or manual review process. The default playbook query is" (type:ip or type:file or type:Domain or type:URL) -tags:pending_review and (tags:approved_black or tags:approved_white or tags:approved_watchlist)" In case more indicator types need to be sent to the SIEM, the query must be edited accordingly.
TIM - Add Bad Hash Indicators To SIEM	This playbook recives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM.
TIM - Add Domain Indicators To SIEM	This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM.
TIM - Add IP Indicators To SIEM	TIM playbook - This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
TIM - Add Url Indicators To SIEM	TIM playbook - This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
TIM - ArcSight Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
TIM - ArcSight Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.
TIM - ArcSight Add IP Indicators	This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
TIM - ArcSight Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
TIM - Indicator Auto Processing	This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be added to block list. For example IP indicators that belong to business partners or important hashes we wish to not process. Additional sub playbooks can be added for improving the business logic and tagging according to the user's needs. This playbook doesn't have its own indicator query as it processes indicators provided by the parent playbook query. To enable the playbook, provide the relevant list names in the sub playbook indicators, such as the ApprovedHashList, OrganizationsExternalIPListName, BusinessPartnersIPListName, etc. Also be sure to append the results of additional sub playbooks to Set indicators to Process Indicators for the additional playbooks results to be in the outputs.
TIM - Indicator Relationships Analysis	This playbook is designed to assist with a security investigation by providing an analysis of indicator relationships. The following information is included: - Indicators of compromise (IOCs) related to the investigation. - Attack patterns related to the investigation. - Campaigns related to the investigation. - IOCs associated with the identified campaigns. - Reports containing details on the identified campaigns.
TIM - Indicators Exclusion By Related Incidents	This playbooks allows you to exclude indicators according to the number of incidents the indicator is related to. The indicator query is "investigationsCount:>=X" where X is the number of related incidents to the indicator that you set. Excluded indicators are located in the Cortex XSOAR exclusion list and are removed from all of their related incidents and future ones. The purpose of excluding these indicators is to reduce the amount internal and common indicators appearing in many incidents and showing only relevant indicators. Creating exclusions can also accelerate performance.
TIM - Intel Tracking	Track threat actors and campaigns by uploading threat intelligence in the form of briefs and IOCs. Add notes and find IOCs in related incidents.
TIM - Process AWS indicators	This playbook handles the tagging of AWS indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_allow. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - Process Azure indicators	This playbook handles the tagging of Azure indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_allow. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - Process CIDR Indicators By Size	This playbook processes CIDR indicators of both IPV4 and IPV6. By specifying in the inputs the maximum number of hosts allowed per CIDR, the playbook tags any CIDR that exceeds the number as pending_review. If the maximum CIDR size is not specified in the inputs, the playbook does not run.
TIM - Process Domain Age With Whois	This playbook compares the domain creation time against a provided time value such as one month ago. The period can be configured within the playbook inputs MinimumAgeOfDomainMonths or MinimumAgeOfDomainHours. The playbook calculates the timestamp for the relevant period and compares it to the domain creation time value provided by Whois. The domains are outputted accordingly if they were created before or after the compared time, respectively.
TIM - Process Domain Registrant With Whois	This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.
TIM - Process Domains With Whois	This playbook uses several sub playbooks to process and tag indicators based on the results of the Whois tool.
TIM - Process File Indicators With File Hash Type	This playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5.
TIM - Process Indicators - Fully Automated	This playbook tags indicators ingested from high reliability feeds. The playbook is triggered due to a Cortex XSOAR job. The indicators are tagged as approved_allow, approved_block, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR etc.
TIM - Process Indicators - Manual Review	This playbook tags indicators ingested by feeds that require manual approval. The playbook is triggered due to a job. The indicators are tagged as requiring a manual review. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. To enable the playbook, the indicator query needs to be configured. An example query is a list of the feeds whose ingested indicators should be manually reviewed. For example, sourceBrands:"Feed A" or sourceBrands:"Feed B".
TIM - Process Indicators Against Approved Hash List	This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.
TIM - Process Indicators Against Business Partners Domains List	This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly.
TIM - Process Indicators Against Business Partners IP List	This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly.
TIM - Process Indicators Against Business Partners URL List	This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner urls, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner urls.
TIM - Process Indicators Against Organizations External IP List	This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses or CIDR, and tags the indicators accordingly.
TIM - Process Office365 indicators	This playbook handles the tagging of Office365 indicators. Specify the tag to apply to these indicators in the playbook inputs. An example tag will be approved_allow. If no inputs are specified, the indicators will be tagged for manual review. The user can specify whether a manual review incident is required.
TIM - QRadar Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add IP Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - Review Indicators Manually	This playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_block', 'approved_allow', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators.
TIM - Review Indicators Manually For Allowlisting	This playbook helps analysts manage the manual process of adding indicators from cloud providers, apps, services etc. to an allow list. The playbook indicator query is set to search for indicators that have the 'allowlist_review' tag. The playbooks layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags such as, 'approved_block', 'approved_allow', etc. Once the analyst completes the review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'allowlist review' tag from the indicators.
TIM - Run Enrichment For All Indicator Types	This playbook performs enrichment on indicators based on playbook query, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. Example queries can be "tags:example_tag" for indicators with a specific tag. For a specific feed name" the query will be "sourceBrands:example_feed". For a specifc reputation the query will be "reputation:None" etc.
TIM - Run Enrichment For Domain Indicators	This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
TIM - Run Enrichment For Hash Indicators	This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
TIM - Run Enrichment For IP Indicators	This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
TIM - Run Enrichment For Url Indicators	This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
TIM - Update Indicators Organizational External IP Tag	This playbook checks if an indicator with a tag of organizational_external_ip has been updated and keeps/removes the tag according to the check results.
Traps Blacklist File	Deprecated. Use CortexXDR instead.
Traps Isolate Endpoint	Deprecated. Use CortexXDR instead.
Traps Quarantine Event	Deprecated. Use CortexXDR instead.
Traps Retrieve And Download Files	Deprecated. Use CortexXDR instead.
Traps Scan Endpoint	Deprecated. Use CortexXDR instead.
Trend Micro CAS - Indicators Hunting	In this playbook, the 'trendmicro-cas-email-sweep' command is used to automatically hunt for and detect IOCs within email messages protected by Cloud App Security (CAS). Note that multiple search values should be separated by commas only (without spaces or any special characters). Supported IOCs for this playbook: - IP Addresses - CIDR - File Name - File Type - SHA1 - URL - Domain - Email Addresses Separate searches are conducted for each type of indicator in the playbook.
TrendMicro Malware Alert Playbook	Deprecated. No available replacement.
Tufin - Enrich IP Address(es)	Enrich a single IP using SecureTrack. Returns information such as the associated zones, network objects and policies for the address, and if the address is network device.
Tufin - Enrich Source & Destination IP Information	Enrich source and destination IP information using SecureTrack. Returns information such as the associated zones, network objects and policies for the addresses, if the addresses are network devices, and a topology map from source to destination.
Tufin - Get Application Information from SecureApp	Search SecureApp by application name and retrieve basic application information and all application connections.
Tufin - Get Network Device Info by IP Address	Use a device's IP address to gather information about the device, including basic device information, USP zone(s), and policies related to the device.
Tufin - Investigate Network Alert	Example Playbook utilizing the Tufin integration to enrich a network alert and perform containment, if needed. Requires the following incident details: Source IP, Destination IP, Destination Ports
Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration	Handles incidents triggered from PANW Iot (Zingbox) UI to un-quarantine a device in Cisco ISE.
Uncommon creation or access operation of sensitive shadow copy by a high-risk process	This playbook addresses the following alerts: - Uncommon creation or access operation of sensitive shadow copy by a high-risk process Playbook Stages: Triage: - Check if the causality process image (CGO) is signed or not Investigation: - If CGO is unsigned: - Check the CGO process prevalence - Check if the process image path is common - If CGO is signed: - Check process image name - Check initiating process image name - Check if username is SYSTEM - Check if host is a server - Check for previous similar alert closed as False Positive Containment: - Terminate causality process (CGO) process - when a signed high-risk process or an unsigned process from an uncommon path attempting to create or access sensitive shadow copy data.
Uncommon execution of ODBCConf	This playbook handles "Uncommon execution of ODBCConf" alerts. Playbook Stages: Analysis: During the analysis, the playbook will perform the following: - Checks if the causality process (CGO) is signed and prevalent. - Checks for the host's risk score. If the CGO process is not signed and not prevalent, or if either of these conditions is met in addition to having a high-risk score, the playbook proceeds with remediation actions. Otherwise, it will continue to the investigation phase. Investigation: During the alert investigation, the playbook will perform the following: Searches for related Cortex XSIAM alerts and insights on the same causalities chains by specific alert names : - Evasion Technique - 3048798454 - Evasion Technique - 474958459 - An uncommon LOLBIN added to startup-related Registry keys - Behavioral Threat - An uncommon file was created in the startup folder - Unsigned process running from a temporary directory - Execution From a Restricted Location - Execution of an uncommon process with a local/domain user SID at an early startup stage by Windows system binary - Explorer CGO The playbook determines the appropriate verdict. If related alerts are found, it proceeds to remediation actions. In case of related insights are found ,and one of the following is met: the host score is listed as high or the CGO process is not prevalent, it will proceed to remediation actions. Otherwise, it closes the alert with the following message: "No indication of malicious activity was found". Remediation: - Automatically terminate the causality process. - Automatically Close the alert.
Uncommon remote scheduled task created	This playbook handles "Uncommon remote scheduled task created" alerts. Playbook Stages: Analysis: - The playbook checks if the remote IP is external or has a bad reputation. Investigation: During the alert investigation, the playbook will perform the following: - Searches for related XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services. - Searches for related XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern. - Searches for suspicious command-line parameters indicating a malicious scheduled task. Remediation: - Automatically disable the malicious scheduled task. - Block the malicious IP (requires analyst approval). - Automatically Close the alert. Requirements: For response actions, the following integrations are required: - PAN-OS.
Uncover Unknown Malware Using SSDeep	This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware. The playbook does the following: - Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint. - Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash. - Links incidents that had any of the indicators which were found related based on the SSDeep hash similarity. - Enriches the original hash to get the threat actor, malware family and VirusTotal community comments. - Finds endpoints where occurences of any of the similar hashes exists. - Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious. - Remediates the incident by blocking all the malicious hashes in the organization (with user approval). These steps allow the analyst to find new files, incidents and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.
Unisolate Endpoint - Cybereason	This playbook unisolates a machine based on the hostname provided.
Unisolate Endpoint - Generic	This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations: - Carbon Black Response - Cortex XDR - Crowdstrike Falcon - FireEye HX - Cybereason - Microsoft Defender For Endpoint.
UnitTestTopLevel
Unprivileged process opened a registry hive	This playbook is designed to handle the 'Unprivileged process opened a registry hive' alert. Playbook Stages: Investigation: During the alert investigation, the playbook will perform the following: - Checks the prevalence of the unprivileged process that triggered the alert. - Checks the prevalence of the command line used by the unprivileged process. - Searches for additional suspicious Cortex XSIAM alerts within the same incident in order to determine whether a remediation measure is required. Remediation: - To prevent malicious activity from continuing, the playbook terminates the causality processes that triggered the alert.
Unsigned and unpopular process performed an injection	This playbook addresses the following alerts: - Unsigned and unpopular process performed injection into a commonly abused process - Unsigned and unpopular process performed process hollowing injection - Unsigned and unpopular process performed queue APC injection - Unsigned and unpopular process performed injection into a sensitive process - Unsigned and unpopular process performed injection into svchost.exe Playbook Stages: Triage: - Retrieve all alerts associated with the case for initial analysis. Early Containment: - Identify whether an agent prevention rule was triggered for the same process ID. If so, there is high confidence that the alert is malicious. - If triggered in prevent mode: This indicates a high-confidence verdict and the playbook proceeds with endpoint isolation. - If triggered in report mode: This also indicates a high-confidence verdict. The playbook will notify the customer, advise an update to prevent mode for better protection in the future, and proceed with the investigation. - If no rule is triggered: The playbook will continue with additional checks to ensure thorough assessment. Investigation: - Check for commonly triggered alerts that often precede process injection: - If found, initiate containment. - If not found, proceed with additional checks. - Analyze if any alerts align with MITRE ATT&CK tactics TA0004 (Privilege Escalation) and TA0005 (Defense Evasion): - If matching tactics are found, initiate containment. - If not, proceed with further investigation. - Determine if the causality (parent) process is signed: - If signed by a trusted authority, close the alert. - If unsigned, escalate for manual approval for containment. Containment: - For alerts validated as threats, execute the following actions: - Terminate the causality process (CGO) if deemed malicious. - Isolate the endpoint in high-risk scenarios to prevent further compromise. Requirements: For response actions, you need the following integrations: - Cortex Core - Investigation and Response.
Unusual process accessed web browser credentials and executed by a terminal process	This playbook handles "Unusual process accessed web browser credentials and executed by a terminal process" alerts. Playbook Stages: Analysis: During the analysis, the playbook will perform the following: - Checks the initiator file path for any suspicious locations. - Checks the initiator process reputation. If the file is malicious, it proceeds to remediation actions; otherwise, it continues to the investigation phase. Investigation: During the alert investigation, the playbook will perform the following: - Searches for related Cortex XSIAM alerts and insights on the endpoint by specific alert names or by the following MITRE technique to identify malicious activity: T1555.001 - Credentials from Password Stores: Keychain. The playbook determines the appropriate verdict. If related alerts or insights are found, it proceeds to remediation actions; otherwise, it closes the alert with the message "No indication of malicious activity was found". Remediation: - Automatically terminate the causality process. - Quarantine the initiator file if its reputation is malicious, if medium- to high-severity alerts indicating malicious activity are found, or if related insights are found and the initiator is running from a suspicious path. (This action requires analyst approval). - Automatically Close the alert.
Unzip File	This playbook checks whether a file has an extension that supports unzipping, and unzips the file.
Update enforcement mode - Illumio	Update the enforcement mode for one or more workloads.
Update Incident Status And Fetch Attachments - Securonix	This playbook fetches the attachments for the incident. Also, it updates the state of the Securonix incident based on the configuration provided in integration configuration.
Update Or Remove Assets - RiskIQ Digital Footprint	Using various user inputs, this playbook checks if the user wants to update or remove an asset, and performs the respective actions. Supported integration: - RiskIQ Digital Footprint
Upload Vulnerability Report to Automox	This sub-playbook takes the entryId of a vulnerability report CSV file and uploads it to Automox for remediation.
Uptycs - Bad IP Incident	Get information about processes which open connections to known Bad IP's
Uptycs - Outbound Connection to Threat IOC Incident	Get information about connections from IOC incidents.
URL Enrichment - Generic	Deprecated. Use "URL Enrichment - Generic v2" playbook instead. Enrich URL using one or more integrations. URL enrichment includes: Verify URL SSL Threat information URL reputaiton Take URL screenshot
URL Enrichment - Generic v2	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs. Threat information. Providing of URL screenshots. URL Reputation using !url.
URL Enrichment - RST Threat Feed	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs Threat information * Providing of URL screenshots
URL Reputation - ReversingLabs TitaniumCloud	Get reputation data for the submitted URL. Required TitaniumCloud API rights: TCA-0403
US - Breach Notification	This playbook is triggered by a breach notification incident and then proceeds to the breach notification playbook for the relevant state. DISCLAIMER: Please consult with your legal team before implementing this playbook.
User added to local administrator group using a PowerShell command	This playbook is designed to handle the alert 'User added to local administrator group using a PowerShell command' The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: - Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. - Whether the process is unsigned. Remediation: Handles malicious alerts by terminating the relevant processes and requesting the analyst's approval to remove the user from the local Administrators group. Handles non-malicious alerts identified during the investigation.
User Investigation - Generic	This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: -Okta -Splunk -QRadar -Azure Log Analytics -PAN-OS -XDR / Core By Palo Alto Networks.
USTA Account Takeover Prevention Employee Credential Incident	This playbook automates the detection and response process when compromised employee credentials are identified via USTA platform.
Veeam - Resolve Triggered Alarms	Resolves Veeam ONE triggered alarms.
Veeam - Start Configuration Backup	Starts configuration backup job for the Veeam Backup & Replication instance.
Veeam - Start Instant VM Recovery Automatically	Starts Instant VM Recovery with automatic configuration.
Veeam - Start Instant VM Recovery Manually	Starts Instant VM Recovery with manual configuration.
Vulnerability Handling - Nexpose	Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools. Before you run this playbook, run the "Vulnerability Management - Nexpose (Job)" playbook.
Vulnerability Handling - Qualys	Deprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools. Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook.
Vulnerability Handling - Qualys - Add custom fields to default layout	Deprecated. Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.
Vulnerability Management - Nexpose (Job)	Deprecated. No available replacement. Manage assets vulnerabilities using Nexpose. This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. The incidents are created by querying Nexpose for the input assets vulnerability list. You can define the minimum severity (minSeverity) that incidents are created for. Duplicate incidents are not created for the same asset ID and the Nexpose ID. This playbook is a part of a series of playbooks for Nexpose vulnerability management and remediation. For this series of playbooks to run successfully, create a Job and do the following: 1. Assign this playbook to the Job 2. Enter the relevant assets' hostnames in the playbook inputs (comma separated list). 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Nexpose" playbook.
Vulnerability Management - Qualys (Job)	Deprecated. Use the `Vulnerability Management - Qualys (Job) - V2` playbook instead. Use the latest Qualys report to manage vulnerabilities. This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. The incidents are created from the latest version of the report determined by the report timestamp. You can define the minimum severity (minSeverity) that incidents are created for. Duplicate incidents are not created for the same asset ID and QID. This playbook is a part of a series of playbooks for Qualys vulnerability management and remediation. For this series of playbooks to run successfully, create a Job and do the following: 1. Assign this playbook to the Job 2. Enter the Qualys XML report name into the "Details" field 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Qualys" playbook.
Vulnerability Management - Qualys (Job) - V2	Use the latest Qualys report to manage vulnerabilities. This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. The incidents are created from the latest version of the report determined by the report timestamp. You can define the minimum severity (minSeverity) that incidents are created for. Duplicate incidents are not created for the same asset ID and QID. This playbook is a part of a series of playbooks for Qualys vulnerability management and remediation. For this series of playbooks to run successfully, create a Job and do the following: 1. Assign this playbook to the Job 2. Enter the Qualys XML report name into the "Details" field 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Qualys" playbook.
Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io	Performs a vulnerability scan for an asset of type "Host" and "IP Address" using Tenable.io integration. Supported integration: - Tenable.io
Wait Until Datetime	Pauses execution until the date and time that was specified in the plabyook input is reached.
WhisperGate and HermeticWiper & CVE-2021-32648	- On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. - On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: - Collect related known indicators from Unit 42, CISA and Malware News blog. - Search for possible vulnerable servers using Xpanse. - Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. - Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
WhisperGate and HermeticWiper & CVE-2021-32648	- On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. - On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: - Collect related known indicators from Unit 42, CISA and Malware News blog. - Search for possible vulnerable servers using Xpanse. - Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. - Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
WildFire - Detonate file	Deprecated. Use WildFire - Detonate file v2 instead.
WildFire - Detonate file v2	Detonate one or more files using the Wildfire v2 integration. This playbook returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, PERL, PYTHON, SHELL. Note: Base64 encoded files are currently not supported.
Wildfire Detonate and Analyze File	This playbook uploads, detonates, and analyzes files for the Wildfire sandbox.
WildFire Malware	This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.
XCloud Alert Enrichment	This playbook is responsible for data collection and enrichment. The playbook collects or enriches the following data: - Account enrichment - Network enrichment -Attacker IP -Geolocation -ASN
XCloud Cryptojacking	Investigates a Cortex XDR incident containing Cloud Cryptojacking related alert. The playbook supports AWS, Azure, and GCP and executes the following: - Cloud enrichment: -Collects info about the involved resources -Collects info about the involved identities -Collects info about the involved IPs - Verdict decision tree - Verdict handling: -Handle False Positives -Handle True Positives -Cloud Response - Generic sub-playbook. - Notifies the SOC if a malicious verdict was found
XCloud Cryptojacking - Set Verdict	This playbook sets the alert's verdict as malicious if one of the following conditions is true: 1. If the source IP address is malicious 2. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Cloud identity reached a throttling API rate" (medium/high severity) 3. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "Suspicious heavy allocation of compute resources - possible mining activity" 4. If the incident includes "Unusual allocation of multiple cloud compute resources" with medium/high severity, the source ASN isn't known, and the source IP isn't known as well. 5. If the incident includes both "Unusual allocation of multiple cloud compute resources" AND "A cloud compute instance was created in a dormant region" If none of the conditions is true, the playbook will wait for an analyst's decision.
XDR Best Practice Assessment	This playbook covers an XDR Best Practice Assessment for existing XDR deployments. It provides surveys for each domain of the assessment. The assessment covers the following domains: Configurations, Agent Management, Policy and Profiles, Profile Extensions, Incident Management, and Incident Response.
xMatters - Example Conditional Actions	Example playbook showing how to use the Trigger and Wait sub-playbook to fire an event to xMatters and wait for a response from a user. This playbook then inspects the user's chosen response and branches accordingly.
xMatters - Wait for Response	Trigger an xMatters workflow to notify a user for a response.
Xpanse - Alert Enrichment	Additional enrichment via cloud service providers and other applicable IT and security tools.
Xpanse - Alert Handler	Default alert handling for Cortex Xpanse alerts.
Xpanse - Alert Self-Enrichment	Enrichment on the alert itself using Cortex Xpanse APIs.
Xpanse - NMap - Detect Service	Playbook that uses NMap to do a validation scan.
Xpanse Incident Handling - Generic	Deprecated. Use Xpanse - Alert Handler playbook instead. A generic playbook for handling Xpanse issues. The logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically. The phases of this playbook are: 1) Check if assets (IP, Domain or Certificate) associated with the issue are excluded in the exclusions list and optionally, close the incident automatically. 2) Optionally, enrich indicators and calculate the severity of the issue, using sub-playbooks. 3) Optionally, allow the analyst to add associated assets (IP, Domain or Certificate) to the exclusions list. 4) Tag associated assets. 5) Update the status of the issue.
xsoar-data-collection-response-tracking	This playbook tracks the user responses and resends the emails to recipients who have not responded
xsoarwebserver-email-acknowledgement	Playbook to demonstrate the features of XSOAR-Web-Server. It sends an html email to a set of users up to 2 times. The email can contain multiple html links, that the users can click and the response will be available in the context. This playbook sets up the webserver to handle http get requests
xsoarwebserver-email-data-collection	Playbook to demonstrate the features of XSOAR-Web-Server. It sends an html email to a set of users up to 2 times. The email can contain multiple html links, that the users can click and the response will be available in the context
YARA - File Scan	A playbook to run YARA scan against uploaded file. To run the playbook, provide the YARA rule content and the entry ID of the file you intend to scan.
Zendesk - Ticket Management	`Zendesk - Ticket Management` allows you to open a new ticket or comment on an existing ticket.
Zimperium Incident Enrichment	Enriches Zimperium incidents.
ZTAP Alert	This playbok is triggered by fetching escalated ZTAP Alerts. The playbook fetches newly escalated alerts. Then, the playbook performs enrichment on the incident's indicators. Lastly, it adds comments/logs as Evidence.

Scripts

Name	Description
A1000FinalClassification	Calculates A1000 final classification based on A1000 classification and A1000 full reports.
AbuseIPDBPopulateIndicators	Extracts IP addresses on block lists from AbuseIPDB, and Populates Indicators accordingly.
ActiveUsersD2	Get active users from a D2 agent and parsed them into context
AddDBotScoreToContext	Add DBot score to context for indicators with custom vendor, score, reliability, and type.
AddDomainRiskScoreToContext	Sets average risk score to context for pivot result.
AddEvidence	Adds provided entries to the incident Evidence Board. In playbook, can be positioned after a task to add the previous task's entries to Evidence Board automatically (with no need to provide arguments)
AddKeyToList	Adds/Replaces a key in key/value store backed by an XSOAR list.
AddUserToIncidentTeam	Adds an XSOAR User to the Incident, this automation can be used as part of a playbook task.
ADGetUser	Deprecated. Use the ad-get-user command in the Active Directory v2 integration instead.account['Groups'] = demisto.get( Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN). If no filter is provided, the result will show all users.
AdoptionMetrics	The dashboard provide a high level overview on the usage of Cortex XSOAR. It contains data points and metrics on enriched and observed threat intelligence, playbook and automation executions, and data sources being ingested into Cortex XSOAR.
AfterRelativeDate	Checks the given datetime has occured after the provided relative time.
AlgosecCreateTicket	Creates a new FireFlow change request.
AlgosecGetApplications	Find applications containing network objects related to IP address using AppViz.
AlgosecGetNetworkObject	Find network objects related to IP address.
AlgosecGetTicket	Retrieves a FireFlow change request by its ID
AlgosecQuery	Performs a batch traffic simulation query using Firewall Analyzer.
AnalyzeMemImage	Use Volatility to run common memory image analysis commands
AnalyzeOSX	Get file and url reputation for osxcollector result. will use VirusTotal for Url checks, and IBM XForce for MD5 checks. maxchecks : for system : system name to run agent on. section : the type check that OSXCollector should run.
AnalyzeTimestampIntervals	Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps.
AnyLlmAddResultsConvo	Takes search results and adds them to the LLM conversation context. Adding these results to the context is done invisibly in XSOAR, but is present in the LLM and will display in the conversation when the workspace is re-entered.
AnyLlmClearConvo	Clears the current workspace conversation buffer stored in an XSOAR field and deletes the LLM's workspace conversation thread. The next question starts a new conversation thread with empty LLM context.
AnyLlmClearResults	Clears the current search results.
AnyLlmDocuments	Queries the LLM for the list of documents that have been uploaded and copies it into an XSOAR grid field for display and additional actions.
AnyLlmDocumentsUpdate	When an action is requested in the documents grid field, executes the requested action (Embed or Delete) on a document in the LLM. "Delete" removes the document from the LLM's document catalog, and "Embed" adds the vector embedding of the document to the current workspace.
AnyLlmQuestion	Sends a message to the LLM. If any search results have been added to the conversation, they are added to the LLM workspace thread's context just before the latest message is added. The pending search results buffer is then cleared.
AnyLlmSaveConvo	Saves the current conversation as a war room entry.
AnyLlmSearchDocument	Full text search of a LLM document for a text pattern (regex) for more results as a companion to similarity search that returns a few top results. Currently supports only war room file entries, search results, and text that has been preprocessed in XSOAR prior to uploading to the LLM. (See AnyLlmUploadText, AnyLlmUploadFileEntry and AnyLlmUploadDocument). Results are placed in the search results buffer for where they can be added to the LLM's conversation context.
AnyLlmSearchXsoarContext	Search incident context keys for text results. Results are placed in the search results buffer for where they can be added to the LLM's conversation context.
AnyLlmSearchXsoarEntries	Search war room entries for text results. Results are placed in the search results buffer where they can be added to the LLM's conversation context.
AnyLlmSearchXsoarIncident	Search incident fields for text results. Results are placed in the search results buffer where they can be added to the LLM's conversation context.
AnyLlmSearchXsoarIndicators	Search indicators for text results. Results are placed in the search results buffer where they can be added to the LLM's conversation context.
AnyLlmUploadDocument	Uploads pre-processed text data to the LLM's document catalog. The document data must have been prepared by AnyLlmUploadText, AnyLlmUploadFileEntry, AnyLlmUploadResults. Text documentation processed and uploaded by this method can also be full text searched.
AnyLlmUploadFileEntry	Processes a war room file entry for uploading as an LLM document by AnyLlmUploadDocument so that a full text search can also be performed on the document after uploading.
AnyLlmUploadResults	Processes search results for uploading as an LLM document by AnyLlmUploadDocument so that a full text search can also be performed on the document after uploading.
AnyLlmUploadText	Processes text data for uploading as an LLM document by AnyLlmUploadDocument and so that a full text search can also be performed on the document after uploading.
AnyLlmUploadWebLink	Uploads a web link as a LLM document. Does not currently support full text search.
AnyLlmWorkspaceEmbeddings	List the current LLM workspace's embedded documents in an XSOAR grid field.
AnyLlmWorkspaceEmbeddingsUpdate	Executes the actions taken on an embedded document in the grid field. "Pin" adds the entire document to the LLM's conversation context. Care should be taken not to pin very large documents that may impact the conversation's context negatively. "Unpin" removes the pinning of the document to the workspace. "Remove" removes the document's embedding from the workspace.
AnyLlmWorkspaces	Queries the LLM for a list of workspaces and copies it into an XSOAR grid field were the user can select an active workspace.
AnyLlmWorkspaceUpdate	Executes the action taken on a workspace listed in the grid field. "Current" makes the workspace the active workspace and any workspace setting changes are updated in the LLM.
AnyMatch	Returns all elements from the left side that have a substring that is equal to an element from the right side. Note: This filter is case-insensitive. E.g -AnyMatch left=baby right=A will return baby. For more examples see the filter's Readme.
AppendIfNotEmpty	Append item(s) to the end of the list if they are not empty.
AppendindicatorFieldWrapper	A wrapper script to the 'AppendindicatorField' script that enables adding tags to certain indicators. Note: You can use this script in an incident Layout button to allow tags to be added to indicators through the incident.
AquatoneDiscover	Deprecated. Use AquatoneDiscoverV2 from the CommonScripts pack instead.
AquatoneDiscoverV2	aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domains nameservers, aquatone-discover will fall back to using Google public DNS servers to maximize discovery.
ArcannaFeedbackPostProcessing	Deprecated. No available replacement.
ArcherCreateIncidentExample	This script is an example script of how to create Incident in Archer. The script generates the create incident data in JSON format and execute the command archer-create-record.
AreValuesEqual	Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned.
ArrayToCSV	Converts a simple Array into a textual comma separated string
AssignAnalystToIncident	Assign analyst to incident. By default, the analyst is picked randomly from the available users, according to the provided roles (if no roles provided, will fetch all users). Otherwise, the analyst will be picked according to the 'assignBy' arguments. machine-learning: DBot will calculated and decide who is the best analyst for the job. top-user: The user that is most commonly owns this type of incident less-busy-user: The less busy analyst will be picked to be the incident owner. online: The analyst is picked randomly from all online analysts, according to the provided roles (if no roles provided, will fetch all users). current: The user that executed the command.
AssignAnalystToIncidentOOO	Assigns analysts who are not out of the office to the shift handover incident. Use the ManageOOOusers automation to add or remove analysts from the out-of-office list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 use the link https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations and for Cortex XSOAR 8 Cloud use the link https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script.
AssignToMeButton	Assigns the current Incident to the Cortex XSOAR user who clicked the button
AssignToNextShift	Randomly assigns the incidents to users on call (requires shift management) and users on call. See for more information: Cortex XSOAR 6.13 Cortex XSOAR 8 Cloud Cortex XSOAR 8.7 On-prem Incident IDs should be passed as a comma-separated list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
AssignToNextShiftOOO	Randomly assigns the active incidents to on call analysts (requires shift management). This automation works with the other out-of-office automations to ensure only available analysts are assigned to the active incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 use the link https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations and for Cortex XSOAR 8 Cloud use the link https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script.
AssociateIndicatorsToIncident	Associate Indicators to an Incident.
ATDDetonate	Detonate File or URL through McAfee ATD.
AWSAccountHierarchy	Determine AWS account hierarchy by looking up parent objects until the organization level is reached.
AwsCreateImage	Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsCreateVolumeSnapshot	Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsEC2GetPublicSGRules	Find Security Group rules which allows ::/0 (IPv4) or 0.0.0.0/0.
AwsEC2SyncAccounts	Update an AWS - EC2 instance with a list of accounts in an AWS organization, which will allow EC2 commands to run in all of them.
AwsGetInstanceInfo	Deprecated. Get AWS EC2 instance details
AWSPackageUpgrade	This is an AWS script that upgrades a package on the AWS EC2 instance using AWS Systems manager.
AWSRecreateSG	Automation to determine which interface on an EC2 instance has an over-permissive security group, determine which security groups have over-permissive rules, and replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
AwsRunInstance	Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsStartInstance	Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AwsStopInstance	Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.
AzureFindAvailableNSGPriorities	This script takes in a list of numbers that represent Azure priorities for NSG rules, a target priority number, and a number available priorities to return available priorities from the provided list.
Base64Decode	Decodes an input in Base64 format.
Base64Encode	Will encode an input using Base64 format.
Base64EncodeV2	Encodes an input to Base64 format.
Base64ListToFile	Converts Base64 file in a list to a binary file and upload to warroom
BaseScript	[Enter a description of the script, including what function it performs and any important information users need to know, for example required permissions.].
BatchData	This Automation takes in a string of comma separated items and returns a dictionary of with the defined chunk size.
BetweenDates	Whether value is within a date range.
BetweenHours	Checks whether the given value is within the specified time (hour) range.
BinarySearchPy	Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black
block-external-ip	The script blocks a list of IP addresses in supported integrations.
BlockIP	Deprecated. Blocks IP in configured firewall
BMCHelixRemedyforceCreateIncident	This script is used to simplify the process of creating the incident in BMC Helix Remedyforce. The Script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided.
BMCHelixRemedyforceCreateServiceRequest	This script is used to simplify the process of creating a service request in BMC Helix Remedyforce. The script will consider the ID over the name of the argument when both are provided. Example: client_id is considered when both client_id and client_user_name are provided.
BMCTool	Parse RDP bitmap cache data into a single collage image file.
BrandImpersonationDetection	Analyzes the forensic data to detect brand impersonation attacks. This script uses the HMRC brand as an example, please modify the attributes associated with your company’s brand.
BreachConfirmationHTML
BuildEWSQuery	Returns an EWS query according to the automation's arguments.
BuildSlackBlocksFromIndex	Extracts the index.zip and filters new packs since the last run. Builds the slack message for new packs.
CalculateEntropy	Calculates the entropy for the given data.
CalculateGeoDistance	Compute the distance between two sets of coordinates, in miles.
CalculateTimeDifference	Calculate the time difference, in minutes
CalculateTimeSpan	Calculates the time span between two dates using Powershell's `New-TimeSpan` command. A timespan with a start date of "2022-04-02T15:42:48" and end date of "2022-04-12T16:55:07" would return the following: Days : 10 Hours : 1 Minutes : 12 Seconds : 19 Milliseconds : 0 Ticks : 8683390000000 TotalDays : 10.0502199074074 TotalHours : 241.205277777778 TotalMinutes : 14472.3166666667 TotalSeconds : 868339 TotalMilliseconds : 868339000
CaseMgmtAnalystTools	Dynamic display script to display a list of useful Analyst Tools on an Incident layout. Create an XSOAR list called "Case Management Analyst Tools", and add a markdown table to provide your own list.
CaseMgmtDisplayLabels	Dynamic section that will display the Labels for an Incident in a markdown table.
CaseMgmtIncidentTypesByRole	Restricts the Incident Types a user can create manually, based on their assigned XSOAR Role(s). Requirements - Create an XSOAR List called IncidentTypeRBAC with the following structure, the names must match exactly to the names in the Incident Types under Settings! Example List: { "Default":["Case","Job","Unclassified"], "Analyst":["Phishing","Malware"], "ThreatHunters":["Hunt"] }
CaseMgmtIncidentTypesDisplay	Restricts the Incident Types a user can create manually based on an XSOAR list, and prevents changing the Incident Type manually once it is created. Requirements - Create an XSOAR List called IncidentTypesFromList a list of comma separated Incident Types Incident Type 1,Incident Type 2, Incident Type 3
CaseMgmtResponseProcess	Dynamic display script to display a response process on an Incident layout. The response process display can change depending on the Incident Type.
CBAlerts	Get the list of Alerts from Carbon Black Enterprise Response. Supports the same arguments as the cb-alerts command.
CBEvents	Returns all events associated with a process query
CBFindIP	Search Carbon Black for connection to specified IP addresses.
CBLiveFetchFiles	Deprecated. Use CBLiveGetFile_V2 instead. Live.
CBLiveGetFile_V2	This automation translates an endpoints hostname/IP to the Carbon Black sensor ID. It then opens a session to the endpoint to download the given file paths and closes the session.
CBLiveProcessList	Deprecated. No available replacement.
CBPApproveHash	Deprecated. Use the cbp-fileRule-createOrUpdate command instead.
CBPBanHash	Deprecated. Use the cbp-fileRule-createOrUpdate command instead.
CBPCatalogFindHash	Search the CBP/Bit9 file catalog for an md5 hash.
CBPFindComputer	Find a computer in CBEP/Bit9.
CBPFindRule	Find the rule state for a hash value in CBEP/Bit9.
CBSensors	List Carbon Black sensors
CBSessions	List Carbon Black sessions
CBWatchlists	Display all watchlists and their details, queries, etc.
CEFParser	Parse CEF data into the context. Please notice that outputs will display only the 7 mandatory fields even if the CEF event includes many other custom or extended fields.
CertificateExtract	Extract fields from a certificate file and return the standard context.
CertificateReputation	Enrich and calculate the reputation of a certificate indicator.
CertificatesTroubleshoot	Exports all certificate-related information from the Python Docker container and decodes it using RFC. It also retrieves the certificate located in the specified endpoint.
ChangeContext	Enables changing context in two ways. The first is to capitalize the first letter of each key in following level of the context key entered. The second is to change context keys to new values.
ChangeRemediationSLAOnSevChange	Changes the remediation SLA once a change in incident severity occurs. This is done automatically and the changes can be configured to your needs.
CheckContextValue	This script checks that a context key exists (and contains data), and optionally checks the value of the context key for a match against an input value. If a regex is not supplied, the script checks that the key is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value. This scripts does not support a context key which holds a list of values.
CheckDockerImageAvailable	Check if a docker image is available for performing docker pull. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with 'ok' if all is good otherwise will return an error.
CheckEmailAuthenticity	Checks the authenticity of an email based on the email's SPF, DMARC, and DKIM.
CheckFieldValue	This script checks that a field exists (and contains data), and optionally checks the value of the field for a match against an input value. If a regex is not supplied, the script checks that the field is not empty. This script can be used with the "GenericPolling" playbook to poll for field population or that a field contains a specific value.
CheckIfSubdomain	Checks whether a given domain is a subdomain of one of the listed domains.
CheckIndicatorValue	Check if indicators exist in the Threat Intel database.
CheckLastEnrichment	Check if DomainTools Data is in Need of Enrichment.
CheckPanosVersionAffected	Checks if the given PAN-OS version number is affected by the given list of vulnerabilties from the pan-advisories-get-advisories command.
CheckPDFEncryptionAndValidity	Returns wether a PDF is both valid and encrypted.
CheckPivotableDomains	Checks for guided pivots for a given domain.
CheckPointDownloadBackup	Deprecated. Use ssh command instead. Downloads the Check Point policy backup to the Cortex XSOAR War Room.
CheckpointFWBackupStatus	Deprecated. Use ssh command instead. Connect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation.
CheckpointFWCreateBackup	Deprecated. Use ssh command instead. Connect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation.
CheckSender	For phishing incidents, check the sender of the email via Pipl search
CheckSenderDomainDistance	Get the string distance for the sender from our domain
CheckTags	Check DomainTools domain tags and if a tag is found mark incident as high severity.
checkValue	Gets a value and return it. This is to be used in playbook conditional tasks - get a value from incident field, label or context, and act accordingly. If an array is returned. the first value will be the decision making value.
CherwellCreateIncident	This script is an example script of how to create an incident in Cherwell. The script wraps the create business object command in the cherwell integration. When writing your own script to create a business object, follow the instructions in the configuration part, but do not change the execution section.
CherwellGetIncident	This script is an example script of how to retrieve an incident from Cherwell. The script wraps the cherwell-get-business-object command of the cherwell integration. When writing your own script to get a business object, follow the instructions found in the configuration section of the script, but do not change the execution section.
CherwellIncidentOwnTask	This script is an example script of how to link an incident to a task in Cherwell. The script wraps the cherwell-link-business-object command of the cherwell integration. When writing your own script to link business objects, follow the instructions found in the configuration section of the script, but do not change the execution section.
CherwellIncidentUnlinkTask	This script is an example script of how to unlink a task from an incident in Cherwell. The script wraps the cherwell-unlink-business-object command of the cherwell integration. When writing your own script to unlink business objects, follow the instructions found in the configuration section of the script, but do not change the execution section.
CherwellQueryIncidents	This script is an example script of how to query incidents from Cherwell. The script wraps the cherwell-query-business-object command of the cherwell integration. When writing your own script to query business objects, follow the instructions found in the configuration section of the script, but do not change the execution section.
CherwellUpdateIncident	This script is an example script of how to update an incident in Cherwell. The script wraps the update-business-object command of the cherwell integration. When writing your own script to update a business object, follow the instructions found in the configuration section of the script, but do not change the execution section.
ChronicleAssetEventsForHostnameWidgetScript	Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its hostname is passed as an asset identifier.
ChronicleAssetEventsForIPWidgetScript	Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its IP address is passed as an asset identifier.
ChronicleAssetEventsForMACWidgetScript	Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its MAC address is passed as an asset identifier.
ChronicleAssetEventsForProductIDWidgetScript	Displays the list of events fetched for an asset identified as a "ChronicleAsset" type of indicator, when its product ID is passed as an asset identifier.
ChronicleAssetIdentifierScript	Collect all asset identifiers - Hostname, IP address and MAC address in the context.
ChronicleDBotScoreWidgetScript	Shows the DBot Score and reputation of the Domain.
ChronicleDomainIntelligenceSourcesWidgetScript	Shows the details of sources in the Chronicle Domain Intelligence Sources section of the incident.
ChronicleIsolatedHostnameWidgetScript	Notifies if the hostname associated with the ChronicleAsset is isolated or not.
ChronicleIsolatedIPWidgetScript	Notifies if the IP address associated with the ChronicleAsset is isolated or not.
ChronicleListDeviceEventsByEventTypeWidgetScript	Displays a pie chart of the number of events, categorized by its event type, fetched for all the identifiers of the ChronicleAsset.
ChroniclePotentiallyBlockedIPWidgetScript	Notifies if the IP address associated with the ChronicleAsset is potentially blocked or not.
CIDRBiggerThanPrefix	Checks whether a given CIDR prefix is bigger than the defined maximum prefix.
ClassifierNotifyAdmin	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
clear-user-session	This script clears user sessions across multiple integrations for a list of usernames.
CloseInvestigationAsDuplicate	Close the current investigation as duplicate to other investigation.
CloseLinkedIncidentsPostProcessing	Post Processing Script that will close linked Incidents when the Incident is closed. Will set the same close code as the parent, and add closing notes from the parent.
CloseSekoiaAlert	Post-processing script to close XSOAR incident.
CloseTaskSetContext	Close a task with the closeComplete command, but then also add the "comments" to the incident context.
Code42FileEventsToMarkdownTable	Formats Code42 File Events as a markdown table for display in Code42 Alert Incidents.
CofenseTriageReportDownload	Download all reports associated with the email address.
CofenseTriageThreatEnrichment	Enhancement automation for type indicator, to enrich the value from Cofense Triage.
CollectCampaignRecipients	Collect the recipients from all campaign incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CollectPacksData	This script collects the data of packs with updates.
CommandLineAnalysis	This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows: 0-25: Low Risk 26-50: Medium Risk 51-90: High Risk 91-100: Critical Risk The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors.
commentsToContext	Takes the comments of a given entry ID and stores them in the incident context, under a provided context key. For accessing the last executed task's comments, provide ${lastCompletedTaskEntries.[0]} as the value for the entryId input parameter.
CommitFiles	This script gets content files as input from the context, commits the files in the correct folder and creates the pull request text.
CommonD2	Common code that will be merged into each D2 agent script when it runs
CommonServerUserPowerShell
CommonServerUserPython
CommonUserServer
CompareIncidentsLabels	Compares the labels of two incidents. Returns the labels that are unique to each incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CompareIndicators	Find the differences between two indicators lists.
CompareList	Compares two lists.
CompareLists	Compare two lists and put the differences in context.
CompleteTaskOnTimerBreach	This is an SLA breach script that will complete playbook tasks tagged with 'timerbreach' when the SLA breaches. This can be used to complete tasks waiting for manual input when a timer breaches its SLA, and move the playbook along.
ConcatFormat	Returns a string concatenated with given a prefix and suffix which supports DT expressions.
ConferIncidentDetails	Deprecated. Display the incident details retrieved from Confer in a readable format
ConferSetSeverity	Deprecated. Set incident severity according to indicators found in an confer alert
ConfigureAzureApplicationAccessPolicy	This script grants a user the permissions needed to create a Teams meeting. It connects to MS Teams, creating an application access policy to a chosen application and then grants a user permissions.
ConflueraDetectionsCount	Logs detections count.
ConflueraDetectionsData	Logs detections data ( detection vs risk-contribution ).
ConflueraDetectionsDataWarroom	Logs detections data ( detection vs risk-contribution ).
ConflueraDetectionsSummary	Logs detections data ( categories of detections ).
ConflueraDetectionsSummaryWarroom	Logs detections data ( categories of detections ).
ConflueraProgressionsCount	Logs progressions count.
ConflueraProgressionsData	Logs progressions data ( progression vs risk-score ).
ConflueraProgressionsDataWarroom	Logs progressions data ( progression vs risk-score ).
ContainsCreditCardInfo	Check if a given value is true. Will return 'no' otherwise
ContentPackInstaller	Content packs installer from marketplace.
ContextContains	This script searches for a value in a context path.
ContextFilter	Filter context keys by applying one of the various available manipulations and storing in a new context key. Please notice that the resulting context key will not be available automatically as an option but you can still specify it.
ContextGetEmails	Gets all email addresses in context, excluding ones given.
ContextGetHashes	Gets hashes (MD5,SHA1,SHA256) from context.
ContextGetIps	Gets all IP addresses in context, excluding ones given.
ContextGetMACAddresses	Gets all MAC addresses in context, excluding ones given.
ContextGetPathForString	Searches for string in context and returns context path, returns null if not found.
ContextSearchForString	Searches for string in a path in context. If path is null, string will be searched in full context.
ConvertAllExcept	Convert all chosen values but exceptions.
ConvertCountryCodeCountryName	Convert country name to country code or country code to country name. Only one of 'country_code' or 'country_name' can be provided. Example: Input: { "country_code": "US" } Output: { "United States" } Another Example: Input: { "country_name": "United States" } Output: { "US" }.
ConvertDatetoUTC	Converts a date from a different timezone to UTC timezone.
ConvertDictOfListToListOfDict	Converts dictionary of lists to list of dictionaries.
ConvertDomainToURLs	Converts Domain(s) to URL(s).
ConvertEnrichmentsToTable	This script is used to convert CrowdStrike IOA enrichments response elements to a table.
ConvertFile	Converts a file from one format to a different format by using the convert-to function of Libre Office. For a list of supported input/output formats see: https://wiki.openoffice.org/wiki/Framework/Article/Filter/FilterList_OOo_3_0
ConvertKeysToTableFieldFormat	Convert object keys to match table keys. Use when mapping object/collection to table (grid) field. (Array of objects/collections is also supported). Example: Input: { "Engine": "val1", "Max Results": 13892378, "Key_With^Special (characters)": true } Output: { "engine": "val1", "maxresults": 13892378, "keywithspecialcharacters": true }
ConvertRequestParametersToTable	This script is used to convert CrowdStrike IOA request parameters to a table.
ConvertResourceAttributesToTable	This script is used to convert CrowdStrike IOM resource attributes to a table.
ConvertResponseElementsToTable	This script is used to convert CrowdStrike IOA response elements to a table.
ConvertTableToHTML	Converts a given array to an HTML table
ConvertTimezoneFromUTC	Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString
ConvertToSingleElementArray	Converts a single string to an array of that string.
ConvertUserIdentityToTable	This script is used to convert CrowdStrike IOA user identity response elements to a table.
ConvertXmlFileToJson	Converts XML file entry to JSON format
ConvertXmlToJson	Converts XML string to JSON format
COOCApiModule	COOC API Module class.
CopyContextToField	Copy a context key to an incident field of multiple incidents, based on an incident query. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CopyFileD2	Copy a file from an entry to the destination path on the specified system. This uses the dissolvable agent's HTTPS communication channel rather than scp or other out-of-band methods. Example usage: !CopyFileD2 destpath=/home/sansforensics/collectedbinaries/inv8_suspiciousPE1.exe.evil entryid=21@8 system=Analyst1
CopyLinkedAnalystNotes	Copies the anaylst notes from the integrations and incidents grid. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CopyNotesToIncident	Copy all entries marked as notes from current incident to another incident.
CoreXQLApiModule	Common Core XQL Client provides generic infrastructure.
CortexXDRAdditionalAlertInformationWidget	This script retrieves additional original alert information from the context.
CortexXDRCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.
CortexXDRIdentityInformationWidget	This widget displays Cortex XDR identity information.
CortexXDRInvestigationVerdict	This widget displays the incident verdict based on the 'Verdict' field.
CortexXDRRemediationActionsWidget	This widget displays Cortex XDR remediation action information.
CountArraySize	Count an array size
CreateArray	Will create an array object in context from given string input
CreateArrayWithDuplicates	Will create an array object in context from a given string input , allowing for duplicate values to be retained Output is to ContextKey.array as JSON does not permit duplicate key names e.g., ContextKey.array.value1, ContextKey.array.value2, ContextKey.array.value3, etc.
CreateCertificate	Creates a public key (.cer file), a private key (.pfx) file, and a Base64 encoded private key to use to authenticate the EWS Extension Online Powershell v2 integration.
CreateChannelWrapper	Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both Slack v2 and Microsoft Teams.
CreateEDLInstance	Use this automation to create an EDL instance on XSOAR.
CreateEmailHtmlBody	This script allows sending an HTML email, using a template stored as a list item under Lists (Settings -> Advanced -> Lists). Placeholders are marked in DT format (i.e. ${incident.id} for incident ID). Available placeholders for example: - ${incident.labels.Email/from} - ${incident.name} - ${object.value} See incident Context Data menu for available placeholders Note: Sending emails require an active Mail Sender integration instance.
CreateFileFromPathObject	This automation is being executed by the "GetFilePathPreProcessing" pre-processing script that collects the paths and names of attachments of an incoming incident, then passes it to this automation that reads the files and creates them in an existing incident
CreateHash	Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for https://docs.python.org/3/library/hashlib.html.
CreateHashIndicatorWrapper	This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike.
CreateIndicatorRelationship	This automation creates a relationship between indicator objects.
CreateIndicatorsFromSTIX	Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.x. This automation creates indicators and adds an indicator's relationships if available.
CreateNewIndicatorsOnly	Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue.
CreatePlbkDoc	Purpose: This automation will produce docx file detailing the tasks in the given playbook. It can produce a table or paragraph format of the report. Author: Mahmood Azmat Input1: Name of the playbook (Mandatory) Input2: Format type needed. Table or Paragraph. Paragraph is default. Input3: Name of the docx file that will be produced. Give the full name including the ".docx" extension. (Mandatory) Requirements: This automation requires "Core REST API" integration enabled and connected to the XSOAR itself. Automation uses it to read the objects of the playbook.
CreatePrismaCloudComputeComplianceReportButton	Generate a compliance report via button.
CreatePrismaCloudComputeLink	This script creates a link back to the Prisma Cloud Compute instance.
CreatePrismaCloudComputeResourceComplianceReportButton	Generate a compliance report for Prisma Cloud resources - host, container or image.
CreateSigmaRuleIndicator
CreateYARARuleIndicators
CrowdStrikeApiModule	Common CrowdStrike code that will be appended to each CrowdStrike integration when it is deployed to enable oauth2 authentication automatically.
CrowdStrikeStreamingPreProcessing	Pre processing script for CrowdStrike Streaming, will not duplicate incidents(detection events) that have same Host. Will add entry to duplicate(older) incident notifying a duplicate incident was ignored. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CrowdStrikeUrlParse	Deprecated. Use CrowdStrike Falcon instead.
CryptoCurrenciesFormat	Verifies that a crypto address is valid and only returns the address if it is valid.
CSVFeedApiModule	Common code that will be appended into each CSV feed integration when it's deployed
CuckooDetonateFile	Deprecated. Use the 'cuckoo-create-task-from-file' command instead.
CuckooDetonateURL	Deprecated. Use 'cuckoo-create-task-from-url' instead.
CuckooDisplayReport	Display the contents of a Cuckoo report file from a war room entry.
CuckooGetReport	Deprecated. Use the 'cuckoo-get-task-report' command instead.
CuckooGetScreenshot	Deprecated. Use 'cuckoo-task-screenshot' command instead.
CuckooTaskStatus	Deprecated. Use the 'cuckoo-view-task' command instead.
CustomContentBundleWizardry	This automation accepts an XSOAR custom content bundle, and either returns a list of file names, or the files you want to the war room.
CustomPackInstaller	Custom Packs Installer for the Content Management pack.
Cut	Cut a string by delimiter and return specific fields. Example ================= input: "A-B-C-D-E" delimiter: "-" fields: "1,5" return: "A-E".
cveReputation	Deprecated. Use CveReputationV2 (in CommonScripts) instead.
cveReputationV2	Provides the severity of the CVE based on the CVSS score where available.
cvss_color	This dynamic automation parses the CVSS score of a CVE and presents it in the layout in color according to its score.
CVSSCalculator	This script calculates the CVSS Base Score, Temporal Score, and Environmental Score using either the CVSS 3.0 or CVSS 3.1 calculator according to https://www.first.org/cvss/ calculation documentation.
CybereasonPreProcessingExample	Preprocessing script to run when fetching Cybereason malops. Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.
CybersixgillActionableAlertStatusUpdate	Updates the Actionable alert status.
CyCognitoGetEndpoints	Generates a deep link to the CyCognito platform using the incident context.
CYFileRep	Deprecated. This script is deprecated. Use the Cylance integration instead.
Cyren-Find-Similar-Incidents	Finds similar incidents by Cyren Case ID This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
Cyren-Show-Threat-Indicators	Displays threat indicators in readable format This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
CyrenCountryLookup	Translates a country code provided by Cyren products to a full country name (English). Uses ISO 3166-1 alpha-2 for the lookup.
CyrenThreatInDepthRandomHunt	This script will take a random Cyren Threat InDepth feed indicator and its relationships and create a threat hunting incident for you. The main query parameters for the resulting, internal indicator query are: 1. Seen for the first time by the feed source within the last 7 days. 2. No investigation on it yet. 3. Must have relationships to other indicators.
CyrenThreatInDepthRelatedWidget	Shows feed relationship data in a table with the ability to navigate
CyrenThreatInDepthRelatedWidgetQuick	Shows limited feed relationship data in a table with the ability to navigate
CyrenThreatInDepthRenderRelated	Shows feed relationship data in a table with the ability to navigate.
D2ActiveUsers	Show local accounts
D2Autoruns	Used by the server-side script "Autoruns". Uses d2 agent on endpoint to run SysInternals Autoruns.
D2Drop	Drop a file to a target system by providing its path on the server. Use CopyFileD2 instead in most cases. This is a utility agent script to be used inside server scripts. See CopyFileD2 for an example.
D2Exec	Execute the command and pack the output back to server
D2ExecuteCommand	Run a D2 built-in command on a D2 agent
D2GetFile	Get a file from a system using D2 agent.
D2GetSystemLog	Copy a log file. Works on Windows and Unix (differently - take a peek at the script itself to see how).
D2Hardware	Show system information
D2O365ComplianceSearch	Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server.
D2O365SearchAndDelete	Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server.
D2PEDump	Execute PE Dump on a file that is under /tmp somewhere. Used internally by StaticAnalyze
D2Processes	Show running processes
D2RegQuery	Use the D2 agent to retrieve the value of the given registry key.
D2Rekall	Use the D2 agent to execute Rekall on a system (usually a forensics workstation) and analyze a memory dump file located on that system.
D2Services	Show system services
D2Users	Show local accounts
D2Winpmem	Use the D2 agent to carry the winpmem binary to a system and return the memory dump file to the war room. This usually takes a while, depending on amount of RAM in the target system.
DamSensorDown	Pre processing script for Emails from Mcafee DAM, about sensor disconnected. Will ignore second notification, but will process first notification into incidents.
DataDomainReputation	Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.
DataminrPulseDisplayRelatedAlerts	Shows the related alerts fetched for this alert id.
DataminrPulseTransformExtractedIndicatorsToList	Script used to transform result received from the extractIndicators (Builtin) script from the dictionary of indicators to a list of indicators.
DateStringToISOFormat	This is a thin wrapper around the `dateutil.parser.parse` function. It will parse a string containing a date/time stamp and return it in ISO 8601 format.
DateTimeNowToEpoch	Returns the current datetime as an epoch value for use in timestamp comparisons.
DateTimeToADTime	Converts unix time to AD Integer8 time. This is used in many AD date fields like pwdLastSet.
DateTimeToLDAPTime	Converts the given time to an LDAP timestamp.
DateToTimeStamp	Converts a date to timestamp.
DBotAverageScore	The script calculates the average DBot score for each indicator in the context.
DBotBuildPhishingClassifier	Create a phishing classifier using machine learning technique, based on email content.
DBotClosedIncidentsPercentage	Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts.
DBotFindSimilarIncidents	Finds past similar incidents based on incident fields' similarity. Includes an option to also display indicators similarity. Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments.
DBotFindSimilarIncidentsByIndicators	Finds similar incidents based on indicators' similarity. Indicators' contribution to the final score is based on their scarcity.
DBotGroupXDRIncidents	Train clustering model on Cortex XDR incident type.
DBotPredictIncidentsBatch	Apply a trained ML model on multiple incidents at once, to compare incidents how the incidents were labeled by analysts, to the predictions of the model. This script is aimed to help evaluate a trained model using past incidents.
DBotPredictOutOfTheBoxV2	Predict phishing incidents using the out-of-the-box pre-trained model.
DBotPredictPhishingEvaluation	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotPredictPhishingWords	Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.
DBotPredictTextLabel	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotPredictURLPhishing	Predict phishing URLs using a pre-trained model.
DBotPreparePhishingData	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotPreProcessTextData	Pre-process text data for the machine learning text classifier.
DBotShowClusteringModelInfo	Show clustering model information - model summary and incidents in specific cluster.
DBotTrainClustering	This script helps organizes and groups incidents based on their similarities using clustering algorithms. Clustering is a technique used to group data points (in this case, incidents) that are similar to each other into clusters. Used to automatically categorize a large number of incidents into meaningful groups.
DBotTrainTextClassifier	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
DBotTrainTextClassifierV2	Train a machine learning text classifier.
DBotUpdateLogoURLPhishing	Add, remove, or modify logos from the URL Phishing model.
DecodeMimeHeader	Decode MIME base64 headers.
DedupBy	This transformer will remove elements of the array that contain an identical combination of values for the keys given.
DeduplicateValuesbyKey	Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest.
Defang	Defangs IP, Mail and URL address to prevent them from being recognized.
DefaultIncidentClassifier	Deprecated. Classify an incident from mail.
delete_expired_indicator_with_exlusion	deletes expired indicators.
DeleteAndExcludeIndicators
DeleteContent	Delete content to keep XSOAR tidy.
DeleteContext	Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
DeleteIndicatorRelationships	This automation allows to delete a relationship between indicator objects based on the relationship id.
DeleteIndicators	Delete indicators based on query, values, or IDs.
DeleteReportedEmail	Use this script to delete a reported phishing email from the mailbox it was reported to
DemistoCreateList	Create a new list.
DemistoGetIncidentTasksByState	Deprecated. Use GetIncidentTasksByState instead.
DemistoLeaveAllInvestigations	Deprecated. No available replacement.
DemistoLinkIncidents	Deprecated. No available replacement.
DemistoLogsBundle	Deprecated. No available replacement.
DemistoSendInvite	Deprecated. No available replacement.
DemistoUploadFile	Deprecated. Use UploadFileV2 instead.
DemistoUploadFileToIncident	Deprecated. Use the DemistoUploadFileV2 script instead. Copies a file from this incident to the specified incident. The file is uploaded as an attachment to the specified incident’s Summary page, and recorded as an entry in the War Room.
DemistoUploadFileV2	Deprecated. Use UploadFile instead.
DemistoVersion	Return the Demisto server version.
Dig	DNS lookup utility to provide 'A' and 'PTR' record.
DisableUserWrapper	This script allows disabling a specified user using one or more of the following integrations: SailPointIdentityIQ, ActiveDirectoryQuery, Okta, MicrosoftGraphUser, and IAM.
displayCloudIndicators	Display the Cloud indicators found in a dynamic-section
DisplayCVEChartScript	Display bar chart based on cves count and trending cves count with the different colors.
DisplayEmailHtml	Displays the original email in HTML format.
DisplayEmailHtmlThread	Dynamic-section script for 'Email Threads' layout. This script renders all email messages with the thread number specified in the "Email Selected Thread" field and outputs them as a single HTML output.
DisplayHTML	Display HTML in the War Room.
DisplayHTMLWithImages	Display HTML with embedded images.
DisplayIndicatorReputationContent	Display the indicator context object in markdown format in a dynamic section layout
displaySiteCategory	This dynamic automation retrieves the category of a website and displays it in the layout.
DisplayTaggedWarroomEntries	Display warroom entries in a dynamic section which are tagged with 'report'
displayUtilitiesResults	This script displays the execution results of the tab's buttons in an HTML table format.
DlpAskFeedback	Sends a message via Slack or MS Teams to the user whose activity violated DLP policies and triggered the incident.
DockerHardeningCheck	Checks if the Docker container running this script has been hardened according to the recommended settings at: - For Docker hardening guide (Cortex XSOAR 6.13) https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide - For Docker hardening guide (Cortex XSOAR 8 Cloud) https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Docker-hardening-guide - For Docker hardening guide (Cortex XSOAR 8.7 On-prem) https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Docker-hardening-guide.
DomainExtractAndEnrich	Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Enrich API.
DomainExtractAndInvestigate	Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Investigate API.
DomainReputation	A context script for Domain entities
DomainToolsIrisDetectStatusUpdate	Updates the DomainTools Iris Detect Domain state.
DownloadAndArchivePythonLibrary	The script downloads a Python library using PIP, archives it, and returns the file to the war room.
DrawRelatedIncidentsCanvas	Draw incidents and indicators on the canvas to map and visualize their connections.
DSPMCheckAndSetErrorEntries	This script checks for error entries based on provided entry IDs and returns "yes" if any errors are found or "no" if no errors are present. If errors are detected, it sets the error messages in the XSOAR context.
DSPMCreateRiskSlackBlocks	This XSOAR automation script generates a Slack message block to notify users of risks detected by a Data Security Posture Management (DSPM) tool. The Slack block is dynamically constructed based on the details of the security incident and includes options for users to take specific actions, such as creating a Jira ticket or remediating the risk.
DSPMCreateSimpleSlackMessageBlock	This automation script overwrites the value of a specified list and sends a Slack notification to inform the user that they failed to respond to an incident notification in a timely manner. The notification includes a message indicating the end of the incident playbook and an invitation to reopen the incident if necessary.
DSPMExtractRiskDetails	This script extracts risk details from an incident object, processes asset tags, and sets the user's Slack email for future notifications. It retrieves the incident details, including risk information, asset tags, and configuration details from the DSPM integration. If the asset owner's email is found, it is stored; otherwise, a default email is used. The extracted data is stored in the XSOAR context and displayed in a readable markdown format.
DSPMExtractUserResponseFromSlackBlockState	This script processes user responses from a Slack block interaction, determining the appropriate action based on the selected option (either creating a Jira ticket or remediating a risk). It extracts relevant project details and ticket types from the user input, sets the necessary context in XSOAR, and handles errors gracefully.
DSPMGetContianers	This automation script takes asset file data as input, retrieves the container names from this data, and returns a list of all containers.
DSPMIncidentList	This automation script manages incidents in a list by adding or deleting incidents based on the provided action. For incidents older than the configured time limit (default is 48 hours), the script performs a cleanup by removing the incident from the list. Additionally, the script supports adding new incidents to the list if they do not already exist.
DSPMRerunIncidents
DsSearchQueryArray	Combines an array of queries to as few as possible whilst staying under the maximum term count.
DT	This automation allows the usage of DT scripts within playbooks transformers
DumpJSON	Dumps a json from context key input, and returns a json object string result
EditServerConfig	Edit the server configuration (under settings/troubleshooting). You can either add a new configuration or update and remove an existing one.
EmailAskUser	Ask a user a question via email and process the reply directly into the investigation.
EmailAskUserResponse	Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply.
EmailDomainBlacklist	Accepts an array of domains as a block list, and a list of email addresses. The script then filters out any email address whose domain is in the block list. The filtered list will be returned as an array.
EmailDomainSquattingReputation	Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm.
EmailDomainWhitelist	Accepts an array of domains as an allow list, and a list of email addresses. The script then filters out any email address whose domain is not in the allow list. The filtered list will be returned as an array.
emailFieldTriggered	Sends email to incident owner when selected field is triggered.
EmailReputation	A context script for Email entities.
EmailSLABreach	This is used to complete the Scheduled command if the either/both the users respond in time. The time is configured on the EmailUserSLA.
EncodeToAscii	Input Text Data to Encode as ASCII (Ignores any chars that aren't interpreted as ASCII)
enrich_exclude_button	This script is only meant to be used to disable the Enrich Excluded button in an indicator. It should not be used otherwise.
EntryWidgetCoAHandled	Entry widget that shows the number of techniques that were already handled by the CoA playbooks.
EntryWidgetCoATechniquesList	Entry widget that shows the number of techniques that were not yet handled by the CoA playbooks.
EntryWidgetNumberHostsXDR	Entry widget that returns the number of hosts in a Cortex XDR incident.
EntryWidgetNumberRegionsXCLOUD	Entry widget that returns the number of regions in a Cortex XDR incident.
EntryWidgetNumberResourcesXCLOUD	Entry widget that returns the number of resources in a Cortex XDR incident.
EntryWidgetNumberUsersXDR	Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
EntryWidgetPieAlertsXDR	Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
EntryWidgetPortBasedRules	Entry widget that returns the number of port based rules found by PAN-OS policy optimizer.
EntryWidgetRegionNameXCLOUD	Entry widget that returns the region involved in the alert.
EntryWidgetResourceTypeXCLOUD	Entry widget that returns the resource type involved in the alert.
EntryWidgetUnusedApplications	Entry widget that returns the number of rules with unused applications found by PAN-OS policy optimizer.
EntryWidgetUnusedRules	Entry widget that returns the number of unused rules found by PAN-OS policy. optimizer.
EnumerateRoles	The script will enumerate any provided role names and output the list of users for each role.
EPOFindSystem	Deprecated. Use the "McAfe ePO v2 integration command epo-find-system" instead. Return system info
EsmExample	Deprecated. Example of using McAfee ESM (Nitro) with advanced filters
Etl2Pcap	Receives an ETL file and converts it to a PCAP file.
EvaluateMLModllAtProduction	Evaluates an ML model in production.
EWSApiModule	EWS Api Module, provides EWSClient and other generic logic to EWS integrations.
ExampleJSScript	This is only an example script, to showcase how to use and write JavaScript scripts
ExchangeAssignRole	Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExchangeDeleteMail	Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExchangeSearchMailbox	Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.
ExifRead	Read image files metadata and provide Exif tags.
Exists	Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors.
ExpanseAggregateAttributionCI	Deprecated. No available replacement. > Aggregate entries from ServiceNow CMDB into AttributionCI.
ExpanseAggregateAttributionDevice	Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionDevice.
ExpanseAggregateAttributionIP	Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionIP.
ExpanseAggregateAttributionUser	Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionUser.
ExpanseEnrichAttribution	Deprecated. No available replacement. > This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details
ExpanseEvidenceDynamicSection	Deprecated. No available replacement. > Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure.
ExpanseGenerateIssueMapWidgetScript	Deprecated. No available replacement. This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
ExpansePrintSuggestions	Deprecated. No available replacement. > Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner.
ExpanseRefreshIssueAssets	Deprecated. No available replacement. > Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context.
ExportAuditLogsToFile	Uses the Core REST API integration to query the server audit trail logs, and return back a CSV or JSON file.
ExportContextToJSONFile	Exports the Context for the current Incident to a JSON file in the war room.
ExportIncidentsToCSV	This automation uses the Core REST API Integration to batch export Incidents to CSV and return the resulting CSV file to the war room.
ExportIndicatorsToCSV	This automation uses the Core REST API Integration to batch export Indicators to CSV and return the resulting CSV file to the war room.
ExportMLModel	Exports an existing ML model to a file.
ExportToCSV	Export given array to csv file.
ExportToXLSX	Exports context data to a Microsoft Excel Open XML Spreadsheet (XLSX) file.
ExposeIncidentOwner	Expose the incident owner into IncidentOwner context key
ExtendQueryBasedOnPhishingLabels	A helper script for the DBot Create Phishing Classifier V2 playbook. This script extends the query based on the phishingLabels argument.
ExtFilter	Advanced Filter. It enables you to make filters with complex conditions.
ExtractAttackPattern	Extract Attack Pattern Threat Intel Object. After auto extract extracts the Attack Pattern IDs, this script is executed and extracts the value (name) of the Attack Pattern.
ExtractDomainAndFQDNFromUrlAndEmail	Extracts domains and FQDNs from URLs and emails.
ExtractDomainFromIOCDomainMatchRes	Extracts domain and its details from the Chronicle IOC Domain match response.
ExtractDomainFromUrlAndEmail	Extract Domain(s) from URL(s) and/or Email(s).
ExtractEmailTransformer	Extracts email addresses from the given value.
ExtractEmailV2	Verifies that an email address is valid and only returns the address if it is valid.
ExtractFQDNFromUrlAndEmail	Extracts FQDNs from URLs and emails.
ExtractHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: - If table has a single column, just create an array of strings from the values - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value - If table has a header row, create a table of objects where attribute names are the headers - If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3...
ExtractHyperlinksFromOfficeFiles	Extracts hyperlinks from office files. Supported file types are: xlsx, docx, pptx.
ExtractInbetween	Extract a string from an existing string.
ExtractIndicators-CloudLogging	This script will extract indicators from a given AWS CloudTrail or GCP Logging event.
ExtractIndicatorsFromTextFile	Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash * Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
ExtractIndicatorsFromWordFile	Used to extract indicators from Word files (DOC, DOCX). The script does not extract data from macros (e.g., embedded code). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
ExtraHopTrackIncidents	Links an incident investigation back to the ExtraHop Detection that created it.
FailedInstances	Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances.
FeedCyCognitoGetAssetEndpoint	Generates a deep link to the CyCognito platform using the indicator context.
FeedIntegrationErrorWidget	Returns a table widget of enabled feed integration instances that errors out on indicators fetch.
FeedRelatedIndicatorsWidget	Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant.
FetchFileD2	Get a File from using a D2 agent
FetchIndicatorsFromFile	Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types.
file-enrichment	This script gathers file reputation data from multiple integrations and returns a "FileEnrichment" object with consolidated information to the context output.
FileCreateAndUpload	Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.
FileCreateAndUploadV2	Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
FileReputation	A context script for hash entities.
FileToBase64List	Encode a file as base64 and store it in a Demisto list.
FilterByList	Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist.
FindDuplicateEmailIncidents	Can be used to find duplicate emails for incidents of type phishing, including malicious, spam, and legitimate emails.
FindEmailCampaign	Find a campaign of emails based on their textual similarity.
findIncidentsWithIndicator	Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
FindPlaybookCustomDependencies	Find custom scripts and integration dependencies used inside of playbooks.
FindSimilarIncidents	Deprecated. Use DBotFindSimilarIncidents instead. Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible (e.g., "type" for the same incident type). For best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label). This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
FindSimilarIncidentsByText	Deprecated. Use DBotFindSimilarIncidents instead. Find similar incidents by text comparison - the algorithm based on TF-IDF method. To read more about this method: https://en.wikipedia.org/wiki/Tf%E2%80%93idf This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
FireEyeApiModule	Common FireEye code that will be appended to each FireEye integration when it is deployed.
FireEyeDetonateFile	Detonate File or URL through FireEye.
FirstArrayElement	Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.
ForescoutEyeInspectButtonGetPCAP	Get PCAP of a Forescout EyeInspect incident.
ForescoutEyeInspectButtonGetVulnerabilityInfo	Get information of a CVE from Forescout EyeInspect CVEs DB.
ForescoutEyeInspectButtonHostChangeLog	Get change log of Forescout EyeInspect hosts.
FormatACTIURL	Helps to fetch ACTI Intelligence Report/Alert URL and converts it to uuid.
FormatContentData	This script formats the value given input from a JSON list into table.
FormattedDateToEpoch	Converts a custom-formatted timestamp to UNIX epoch time. Use it to convert custom time stamps to a XSOAR date field. If you pass formatter argument, we will use it to transform. If not, we will use dateparser.parse for transforming. For more info, see: https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior
FormatTemplate	Build text from a template that can include DT expressions.
FormatURL	Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. If more than one URL is passed to the formatter, the separator must be a pipe ("|").
FormatURLApiModule	Common code for url formatting.
ForwardAuditLogsToSplunkHEC	This Automation script uses the XSOAR API to get the audit logs and pushes them to Splunk HEC. Dependencies: SlunkPy and Core REST API integrations.
FPDeleteRule	Deletes a rule in Forcepoint Triton.
FPSetRule	Adds (or updates existing) rule in Forcepoint Triton. Preserves order of rules and modifies policy in-place if a rule exists with the exact type and value.
GatewatcherAlertEngine
GCPOffendingFirewallRule	Determine potential offending firewall rules in GCP based on port, protocol and possibly target tags (network tags). Considerations: - At this time this automation only find potential offending rules and not necessarily the rule that is matching traffic.
GCPProjectHierarchy	Determine GCP project hierarchy by looking up parent objects until the organization level is reached.
generate_profile_id	Generate profileId by user data.
generate_timezonesidkey	Generate timezonesidkey by user data.
GenerateAsBuilt	Generate an as built document, as HTML, based on the running XSOAR instance. Requires an instance of the Demisto API integration configured.
GenerateAsBuiltConfiguration	Generate a JSON file that can be downloaded and used to create the As-Built document for Cortex XSOAR.
GenerateASMReport	Generate an ASM Alert Summary report.
GenerateCSR	Generates a certificate signing request for fulfillment by an organization certification authority (CA) Output is the request.csr file placed directly into context under a "File" object.
GenerateInvestigationSummaryReport	A script to generate investigation summary report in an automated way Can be used in post-processing flow as well.
GeneratePANWIoTDeviceTableQueryForServiceNow	Generates a single query or query list with which to query in ServiceNow.
GeneratePassword	This function generates a password and allows various parameters to customize the properties of the password depending on the use case (e.g. password complexity requirements). The default behavior is to generate a password of random length including all four character classes (upper, lower, digits, symbols) with at least five and at most ten characters per class. The min* values all default to 0. This means that if the command is executed in this way: !GeneratePassword max_lcase=10 It is possible that a password of length zero could be generated. It is therefore recommended to always include a min* parameter that matches. The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics.
GenerateRandomJSON	Generate a list of random dictionaries, using Faker Python library. For more information, please visit https://faker.readthedocs.io
GenerateRandomString	Generates random string
GenerateRandomUUID	Generates a random UUID (UUID 4).
GenerateSummaryReportButton	This button will generate summary 'Case Report' template for a given Incident
GenerateSummaryReports	Generate report summaries for the passed incidents.
GenericPollingScheduledTask	Runs the polling command repeatedly, completes a blocking manual task when polling is done.
get-endpoint-data	This script gathers endpoint data from multiple integrations and returns an endpoint entity with consolidated information to the context.
get-user-data	This script gathers user data from multiple integrations and returns an Account entity with consolidated information to the context.
GetAskLinks	Creates external ask links for the `Ask` task with the given name.
getAutomationsCount	Get the count of OOTB, custom and deprecated automations.
GetAwayUsers	Returns a list of all the users marked as away in Cortex XSOAR.
GetBrandDeleteReportedEmail	Gets all the enabled instances of integrations that can be used by the DeleteReportedEmail script, in the output format of a single select field.
GetByIncidentId	Gets a value from the specified incident's context.
GetCampaignDuration	Calculate the duration of the current campaign and returns the result in a string with HTML format.
GetCampaignIncidentsIdsAsOptions	Get the campaign incident IDs as option values for Multi Select field.
GetCampaignIncidentsInfo	Get the campaign incidents information as a MD table. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GetCampaignIndicatorsByIncidentId	Gets the campaign indicators by the campaign incident ids as a MD table.
GetCampaignLowerSimilarityIncidentsIdsAsOptions	Gets the IDs of incidents with lower similarity. Used to fill the optional values of the multi-select "Phishing Campaign Select Campaign Lower Similarity Incidents" incident field.
GetCampaignLowSimilarityIncidentsInfo	Gets the campaign incidents with low similarity information as a markdown table. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GetCiscoISEActiveInstance	Determines which configured Cisco ISE instance is in active/primary state and returns the name of the instance.
getContentPackStatus	Get the count of Marketplace content packs update status.
getCustomAutomations	Get the list of custom automations modified in last 30 days.
getCustomPlaybooks	Get the list of custom playbooks created in last 30 days.
GetDataCollectionLink	Generates the URL for a Data Collection Task into Context. Can be used to get the url for tasks send via Email, Slack, or even if you select "By Task Only". To generate links for specific users, add an array of users in the users argument.
getDeprecatedAutomations	Get the list of deprecated automations.
getDeprecatedIntegrations	Get the list of deprecated integrations.
getDeprecatedPlaybooks	Get the list of deprecated playbooks.
getDetachedAutomations	Get the list of detached automations.
getDetachedPlaybooks	Get the list of detached OOTB playbooks.
getDiskSpaceStatus	Get the Disk Space details.
getDockerContainersCount	Get the count of docker containers.
GetDockerImageLatestTag	Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error.
GetDomainDNSDetails	Returns DNS details for a domain.
GetEnabledInstances	Gets all currently enabled integration instances.
GetEntries	Collect entries matching to the conditions in the war room.
GetErrorsFromEntry	Get the error(s) associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries.
GetEWSFolder	Get emails from multiple folders of an account all at once.
GetFailedTasks	Gets failed tasks details for incidents based on a query. Limited to 1000 incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GetFields	Retrieves fields from an object using dot notation
GetFieldsByIncidentType	Returns the incident field names associated to the specified incident type.
GetFilePathPreProcessing	This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident. It should be configured as a pre-processing rule, and the logic for finding the right incident should be added to the code manually. The automation collects the paths and names of the attachments of the incoming incident and passes it to the "CreateFileFromPathObject" automation that is being executed on the existing incident
GetFolderName
GetHostName
GetIdsFromCustomContent	Extract custom content IDs from custom content bundle file and exclude IDs as specified.
GetIncidentsApiModule	Common code that is appended into scripts which require searching incidents.
GetIncidentsByQuery	Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GetIncidentTasks	Get all tasks for a specific incident by the given state, name and/or tag.
GetIncidentTasksByState	Deprecated. Use the GetIncidentTasks script instead.
GetIndexOfArrayValue	This transformer will get an index of an element from an array. ex:["phishing","Malware"], if we provide "Malware" to array_value argument, will get index as 1.
GetIndicatorCustomFieldsByQuery	Returns indicator custom fields into the context by the given query.
GetIndicatorDBotScore	Add into the incident's context the system internal DBot score for the input indicator.
GetIndicatorDBotScoreFromCache	Get the overall score for the indicator as calculated by DBot.
GetIndicatorDBotScoreFromContext	Get the final verdict from the DBotScore of the context. Provided that it has all of the latest source verdict, this script gives you the right final verdict.
GetIndicatorsByQuery	Gets a list of indicator objects and the associated indicator outputs that match the specified query and filters. The results are returned in a structured data file.
GetInstanceName	Given an integration name, returns the instance name.
GetInstances	Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
getInvHealthStatus	Get the count of big incidents, incidents with big context and big indicators.
GetLicenseID	Returns the license ID.
GetListDatawithKeyword	This transformer will get list of array elements by providing keyword. List data format [ { "folder": "abc", "username": "test" }, { "folder": "def", "username": "test123" }, { "folder": "ghi", "username": "admin" } ]
GetListRow	Parses a list by header and value.
GetMessageIdAndRecipients	Get the Internet Message Id and Recipient's address of Messages in a format of `internet_message_id:recipients_address.`.
getMlFeatures	Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.
GetMLModelEvaluation	Finds a threshold for ML model, and performs an evaluation based on it.
GetNumberOfUsersOnCall	Retrieves the number of users who are currently on call.
GetOnCallHoursPerUser	Retrieves the number of on call hours per user.
getPlaybooksCount	Get the count of custom, OOTB and deprecated playbooks.
getPlaybooksHealthStatus	Get the count of big workplan, big tasks playbooks and the playbooks which automatically turned in to quiet mode.
GetPrBranches	Field-display script that gets the branch names from "Pull Request Creation" incidents to use in the "Pull Request Branch" incident field.
GetProjectOwners	Parse a GCP service account email for the project name, then lookup project owners and add them to a list of potential service owners for ranking.
GetRange	Gets specified indexes of a list.
GetRestoredVmName
GetRolesPerShift	Retrieves the roles that are available per shift.
GetSendEmailInstances	Gets all the enabled instances of integrations that have a send-mail command, in the output format of a single select field.
GetServerInfo	Get version and URL of current XSOAR server.
GetServerURL	Get the Server URL.
GetShiftsPerUser	Retrieves the number of on-call hours per user.
GetSlackBlockBuilderResponse	GetSlackBlockBuilderResponse will format a SlackBlockBuilder response and insert it into an incident's context.
GetStringsDistance	Get the string distance between inputString and compareString (compareString can be a comma-separated list) based on Levenshtein Distance algorithm.
getSystemHealthStatus	Get the count of slow searches, web socket disconnects(in last 12hrs).
GetTasksWithSections	Groups all tasks for a specific incident according to the task headers (titles).
GetTime	Retrieves the current date and time.
GetUsersOnCall	Retrieves users who are currently on call.
GetUsersOOO	Retrieves users who are currently out of the office. The script use the OutOfOfficeListCleanup script to remove users from the out-of-office list whose 'off until day' is in the past.
GetValuesOfMultipleFields	The script receives a list of fields and a context key base path. For example, Key=Test.result List=username,user gets all of the values from Test.result.username and Test.result.user. The Get field of the task must have the value ${.=[]}.
getWorkersCount	Get the count of Available, Busy and Total workers.
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GLPIIncidentStatus	populates the value of the GLPI Ticket State field and display it in a layout widget.
GoogleappsRevokeUserRole	Deprecated. Deletes a role assignment.
GoogleAuthURL	Deprecated. This script is deprecated. The demistobot endpoint is no longer supported.
GRAAnalyticalFeatureDisplay	Display GRA analytical feature on the layout.
GRAAnomaliesDisplay	Retrieve anomalies for specified case id from GRA and update in XSOAR.
GRAUpdateCaseStatus	GRA Update Case Status.
GreaterCidrNumAddresses	Check if number of availble addresses in IPv4 or IPv6 CIDR is greater than given number.
GridFieldSetup	Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"`.
GrrGetFiles	Deprecated. Use grr_get_files instead.
GrrGetFlows	Deprecated. Use grr-get-flows instead.
GrrGetHunt	Deprecated. Use grr_get_hunt instead.
GrrGetHunts	Deprecated. Use grr_get_hunts instead.
GrrSetFlows	Deprecated.Use grr-set-flows instead.
GrrSetHunts	Deprecated. Use grr_set_hunts instead.
GSuiteApiModule	Common G Suite code that will be appended to each Google/GSuite integration when it is deployed.
GZipFile	GZip a file and upload to war room
HashIncidentsFields	Hash fields from the incident list. Search for incidents by arguments with an option to hash some of its fields.
HealthCheckAPIvalidation	Validate if API Integration was defined correctly. If not detect what is the problem and warn about it.
HealthCheckCommonIndicators	Reports on common indicators.
HealthCheckContainersStatus	Containers status.
HealthCheckCPU	Present or parse CPU usage stats.
HealthCheckDiskUsage	Present or parse Disk usage stats.
HealthCheckDiskUsageLine	Present Disk usage stats line widget.
HealthCheckFields	Parsing custom fields to detect indexed fields for risky field types.
HealthCheckIncidentsCreatedDaily	Trend graph for incidents created per day.
HealthCheckIncidentsCreatedMonthly	Trend graph for incidents created per month.
HealthCheckIncidentsCreatedWeekly	Trend graph for incident creation.
HealthCheckIncidentTypes	Identify custom and detached system incidents type Checking if 'Auto Extraction' is turned on for: Extract from all Extract from specific indicators doesn't have any settings.
HealthCheckInstalledPacks	Read the installedpacks.json. Count and get packs names.
HealthCheckIntegrations	Collect integrations name and count number of engines.
HealthCheckMemory	Present or analyze memory usage.
HealthCheckNumberOfDroppedIncidents	Number of dropped incidents.
HealthCheckPlaybookAnalysis	Parsing playbooks.
HealthCheckServerConfiguration	Collect server configurations and save that into a table field.
HealthCheckSystemDiagnostics	Collect data from System Diagnostics tool.
HealthCheckWorkers	Present or analyze workers usage.
HelloWorldScript	Hello World Script.
Hey	Use rakyll/hey to test a web application with a load of requests.
hideFieldsOnNewIncident	When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode.
HighlightWords	Highlight words inside a given text.
HtmlDifflabDynamic	This dynamic automation parses the difflib results and presents it in the layout in color according to its score.
HtmlDifflibCheck	Compares two HTML source as strings and returns a similarity score using difflib.
HtmlPhishingCheck	Checks if a URL contains HTML elements indicative of phishing.
HTMLtoMD	Converts HTML to Markdown.
http	Sends http request. Returns the response as json.
HTTPFeedApiModule	Common HTTP feed code that will be appended into each HTTP feed integration when it's deployed.
HTTPListRedirects	List the redirects for a given URL
HttpV2	Sends a HTTP request with advanced capabilities.
IAMApiModule	Common code that will be appended into each IAM integration when it's deployed.
IAMInitOktaUser	Generates a password and sets the password for an Okta user. Enables the account. Sends an email to the user with the account information. This script is running the `send-mail` command, make sure there is a mail sender integration configured.
IbmAddNote	Use this script to add a note entry in Cortex XSOAR, which will then be mirrored as a note to an IBM QRadar SOAR incident. This script should be run within an incident.
IbmAddTask	Use this script to add a task to an IBM QRadar SOAR incident.
IbmConvertArtifactsToTable	This script is used to format IBM QRadar SOAR Artifacts into a markdown table.
IbmConvertAttachmentsToTable	This script is used to convert IBM QRadar SOAR attachments to a markdown table.
IbmConvertCommentsToTable	This script is used to convert IBM QRadar SOAR notes to a markdown table.
IbmConvertTasksToTable	This script is used to convert IBM QRadar SOAR tasks to a markdown table.
IbmUpdateNote	Use this script to add a note entry in Cortex XSOAR, which will then be mirrored as a note to an IBM QRadar SOAR incident. This script should be run within an incident.
IbmUpdateTask	Use this script to add a note entry in Cortex XSOAR, which will then be mirrored as a note to an IBM QRadar SOAR incident. This script should be run within an incident.
IbmUploadAttachment	Use this script to upload an attachment to an IBM QRadar SOAR incident. This script should be run within an incident.
IdentifyAttachedEmail	Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.
If-Elif	A transformer for if-elif-else logic.
If-Then-Else	A transformer for simple if-then-else logic.
IgnoreFieldsFromJson	Removed selected fields from the JSON object.
imagecompare	Compares two images and returns a similarity score.
ImportMLModel	Imports a file that contains an ML model.
ImportSigmaRulesFromZIP	Deprecated. Use CreateSigmaRuleIndicator instead.
ImpSfListEndpoints	The endpoints list request enables a client application to receive a list of all managed and unmanaged endpoints, with their basic details. This list can then be externally filtered or searched by the application to identify individual endpoints that might require action. For any such endpoint, the application can obtain fuller details (see Endpoint Details Request below) and if relevant change its enrollment status.
ImpSfRevokeUnaccessedDevices	Getting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail.
ImpSfScheduleTask	Creating a schedule task that's call ImpSfRevokeUnaccessedDevices: Getting all devices data from server, if a device haven't been accessed to in over two months (and is still managed), the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail.
ImpSfSetEndpointStatus	Deprecated. Call imp-sf-set-endpoint-status directly. No available replacement.
IncapGetAppInfo	Use this operation to retrieve a list of all the client applications
IncapGetDomainApproverEmail	Use this operation to get the list of email addresses that can be used when adding an SSL site
IncapListSites	List sites for an account
IncapScheduleTask	This script periodically runs the "IncapWhitelistCompliance" script, which queries the Incapsula monitored websites for white-list compliance (see script for further details). The script then saves the new periodic ID into incident context under the "ScheduleTaskID" key for later use.
IncapWhitelistCompliance	Get all sites from Incapsula. For each site, the script, through a ssh server (one that should NOT be in the allow list), make sure the site is compliant ( allow list is being enforced ). If not, a warning mail will be sent to the domain owner.
IncidentAddSystem	Add a remote system (such as a desktop under investigation) to an investigation (this will allow you to install and agent on the system)
IncidentFields	Returns a dict of all incident fields that exist in the system.
IncidentsCheck-NumberofIncidentsNoOwner	Health Check dynamic section, showing the number of unassigned incidents.
IncidentsCheck-NumberofIncidentsWithErrors	Health Check dynamic section, showing the number of failed incidents.
IncidentsCheck-NumberofTotalEntriesErrors	Health Check dynamic section, showing the total number of errors in failed incidents.
IncidentsCheck-PlaybooksFailingCommands	Health Check dynamic section, showing the top ten commands of the failed incidents in a pie chart.
IncidentsCheck-PlaybooksHealthNames	Health Check dynamic section, showing the top ten playbook names of the failed incidents in a bar chart.
IncidentsCheck-Widget-CommandsNames	Data output script for populating the dashboard pie graph widget with the top failing incident commands.
IncidentsCheck-Widget-CreationDate	Data output script for populating the dashboard line graph widget with the creation date of failing incidents.
IncidentsCheck-Widget-IncidentsErrorsInfo	Data output script for populating the dashboard table graph widget with the information about failing incidents.
IncidentsCheck-Widget-NumberFailingIncidents	Data output script for populating dashboard number graph widget with the number of failing incident.
IncidentsCheck-Widget-NumberofErrors	Data output script for populating the dashboard number graph widget with the number of entries ID errors.
IncidentsCheck-Widget-PlaybookNames	Data output script for populating the dashboard bar graph widget with the top failing playbooks name.
IncidentsCheck-Widget-UnassignedFailingIncidents	Data output script for populating the dashboard number graph widget with the number of unassigned failing incidents.
IncidentState	This script is used as dynamic section to desplay in the layout one of the incident state.
IncOwnerToBonuslyUser	This script gets the email address of the incident owner and then returns the incident owner username in Bonusly.
IncreaseIncidentSeverity	Optionally increases the incident severity to the new value if it is greater than the existing severity.
IndicatorMaliciousRatioCalculation	Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
Indicators-type	Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart.
InferWhetherServiceIsDev	Identify whether the service is a "development" server. Development servers have no external users and run no production workflows. These servers might be named "dev", but they might also be named "qa", "pre-production", "user acceptance testing", or use other non-production terms. This automation uses both public data visible to anyone (`active_classifications` as derived by Xpanse ASM) as well as checking internal data for AI-learned indicators of development systems (`asm_tags` as derived from integrations with non-public systems).
InRange	checks if left side is in range of right side (from,to anotation) e.g. - InRange left=4right=1,8 will return true.
InstancesCheck-FailedCategories	Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart.
InstancesCheck-NumberofEnabledInstances	Health Check dynamic section, showing the total number of checked integrations.
InstancesCheck-NumberofFailedInstances	Health Check dynamic section, showing the total number of failed integrations.
IntegrationsCheck-Widget-IntegrationsCategory	Data output script for populating the dashboard pie graph widget with the failing integrations.
IntegrationsCheck-Widget-IntegrationsErrorsInfo	Data output script for populating the dashboard table graph widget with the information about failing integrations.
IntegrationsCheck-Widget-NumberChecked	Data output script for populating the dashboard number graph widget with the number of checked integrations.
IntegrationsCheck-Widget-NumberFailingInstances	Data output script for populating the dashboard number graph widget with the number of failing integrations.
IntezerRunScanner	Deprecated. D2 agent is deprecated. No available replacement.
IntezerScanHost	Deprecated. D2 agent is deprecated. No available replacement.
InvertEveryTwoItems	This transformer will invert every two items in an array. Example: ["A", "B", "C", "D"] Result: ["B", "A", "D", "C"] If the total of items in the array is an odd number the last item will be removed Example: ["A", "B", "C", "D", "E"] Result: ["B", "A", "D", "C"] If the item is not an array the output will be same passed object.
InvestigationDetailedSummaryParse	Parses attacks from context, and shows them according to the MITRE technique they use.
InvestigationDetailedSummaryToTable	Shows InvestigationDetailedSummaryParse results as a markdown table.
InvestigationSummaryParse	Retrieves information from previously run reputation commands and aggregates their results.
InvestigationSummaryToTable	Creates a human readable table from ParseMalware context results.
iot-security-alert-post-processing	IoT alert post processing script to resolve the alert in IoT security portal using API
iot-security-check-servicenow	Close the XSOAR incident if the IoT ServiceNow ticket was closed. This command should be run in a Job.
iot-security-get-raci	IoT RACI model script.
iot-security-vuln-post-processing	IoT vulnerability post processing script to resolve the vulnerability incident in IoT security portal using API
IPCalcCheckSubnetCollision	An automation script to return subnet collision result
IPCalcReturnAddressBinary	An automation script to return address in binary format
IPCalcReturnAddressIANAAllocation	An automation script to return address IANA information
IPCalcReturnSubnetAddresses	An automation script to return subnet addresses
IPCalcReturnSubnetBroadcastAddress	An Automation Script to return subnet broadcast address
IPCalcReturnSubnetNetwork	An Automation Script to return subnet network ID
IPNetwork	Gather information regarding CIDR - 1. Broadcast_address 2. CIDR 3. First_address 4. Last address 5. Max prefix len 6. Num addresses 7. Private 8. Version.
IPReputation	A context script for IP entities.
IPToHost	Try to get the hostname correlated with the input IP.
IPv4Blacklist	Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
IPv4Whitelist	Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
IqHubLog	Logs detection and progression count with respective links to confluera's IQ-Hub portal in tabular format.
IronscalesEmailFieldTrigger	Automatically changes email field when choosing classification.
isArrayItemInList	This automation is for comparing array(list) data of context to existing lists on XSOAR server. You can avoid using loop of sub-playbook. inputArray: the context array/list data listName: the XSOAR system list.
IsDemistoRestAPIInstanceAvailable	Checks if the provided Core/Demisto REST API instance is available for the XSOAR Simple Dev to Prod workflow.
IsDomainInternal	The script takes one or more domain names and checks whether they're in the Cortex XSOAR list defined in the InternalDomainsListName argument. By default, the InternalDomainsListName argument will use the Cortex XSOAR list called "InternalDomains". The list can be customized by the user. It should contain the organization's internal domain names, separated by new lines. Subdomains are also supported in the list. The results of the script are tagged with the "Internal_Domain_Check_Results" tag, so they can be displayed in the War Room entry sections in incident layouts.
IsEmailAddressInternal	Checks if the email address is part of the internal domains.
isError	Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error.
IsGreaterThan	Checks if one number(float) as bigger than the other(float) Returns yes: if first > second Returns no: if first <= second Returns exception if one of the inputs is not a number
IsIncidentPartOfCampaign	Gets the ID of an incident campaign that is linked to at least one of the given incidents.
IsInCidrRanges	Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false.
IsIntegrationAvailable	Returns 'yes' if integration brand is available. Otherwise returns 'no'.
IsInternalDomainName	This script accepts multiple values for both arguments and will iterate through each of the domains to check if the specified subdomains are located in at least one of the specified main domains. If the tested subdomain is in one of the main domains, the result will be true. For example, if the domain_to_check values are apps.paloaltonetworks.com and apps.paloaltonetworks.bla and the domains_to_compare values are paloaltonetworks.com and demisto.com, the result for apps.paloaltonetworks.com will be true since it is a part of the paloaltonetworks.com domain. The result for apps.paloaltonetworks.bla will be false since it is not a part of the paloaltonetworks.com or demisto.com domain.
IsInternalHostName	Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
IsIPInRanges	Returns yes if the IP is in one of the ranges provided, returns no otherwise.
IsIPPrivate	The script takes one or more IP addresses and checks whether they're in the private IP ranges defined in the PrivateIPsListName argument. By default, the PrivateIPsListName argument will use the Cortex XSOAR list called "PrivateIPs". The list can be modified, and by default uses the ranges defined by the Internet Assigned Numbers Authority (IANA). The following are the default CIDR ranges for private IPv4 addresses: - 10.0.0.0/8 (range: 10.0.0.0 to 10.255.255.255) - 172.16.0.0/12 (range: 172.16.0.0 to 172.31.255.255) - 192.168.0.0/16 (range: 192.168.0.0 to 192.168.255.255) In addition to ranges, it's also possible to add specific IP addresses to the list. You may also tag IPs or IP ranges by adding a comma after the IP or range, and then adding the tag that you want to tag the corresponding IP indicators with.
IsListExist	Check if list exist in demisto lists.
IsMaliciousIndicatorFound	Checks if the investigation found any malicious indicators (file, URL, IP address, domain, or email). Returns "yes" if at least one malicious indicator is found.
IsNotInCidrRanges	Checks whether an IPv4 or IPv6 address is not contained in one or more comma-delimited CIDR ranges.
IsolationAssetWrapper	This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0).
IsPDFFileEncrypted	Checks whether the PDF file is encrypted.
IsRFC1918Address	A filter that receives a single IPv4 address string as an input and determines whether it is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network
IsTrue	Check if a given value is true. Will return 'no' otherwise
IsUrlPartOfDomain	Checks if the supplied URLs are in the specified domains.
IsValueInArray	Indicates whether a given value is a member of given array
IvantiHeatCloseIncidentExample	This is a sample script that demonstrates how to close an incident in Ivanti Heat. The script generates data of the closed incident in JSON format and writes it to the IvantiHeat.CloseIncidentJSON context path.
IvantiHeatCreateIncidentExample	This is a sample script that demonstrates how to create an incident in Ivanti Heat. The script generates data of the created incident in JSON format and writes it to the IvantiHeat.CreateIncidentJSON context path.
IvantiHeatCreateProblemExample	This is a sample script that demonstrates how to create a problem in Ivanti Heat. The script generates data of the created problem in JSON format and writes it to the IvantiHeat.CreateProblemJSON context path.
JiraAddComment	Use this script to add a comment with a tag (the "Comment tag to Jira" defined in the instance configuration) as an entry in XSOAR, which will then be mirrored as a comment to a Jira issue. This script should be run within an incident.
JiraChangeStatus	This script changes the status field of a Jira incident. It gets the new Jira status of the remote Jira issue and updates the Cortex XSOAR incident status.
JiraCreateIssue-example	This script is used to simplify the process of creating a new Issue in Jira. You can specify custom fields using the `customFields` argument.
JiraListStatus	This script lists all possible statuses for a given Jira issue. Works only for Jira v3.
JIRAPrintIssue	Pretty print JIRA issue into the incident war room
JiraV3ConvertAttachmentsToTable	This script is used to convert Jira attachments to a table.
JiraV3ConvertCommentsToTable	This script is used to convert Jira comments to a table.
JiraV3ConvertSubtasksToTable	This script is used to convert Jira subtasks to a table.
jmespath	Performs a JMESPath search on an input JSON format, when using a transformer.
JobCreator	Job Creator for the Content Management pack.
JoinIfSingleElementOnly	Return the single element in case the array has only 1 element in it, otherwise return the whole array.
JoinListsOfDicts	Deprecated. No available replacement.
jq	Run JQ Query. Check these links: - https://stedolan.github.io/jq/manual/#Invokingjq - https://jqplay.org/
Json2HtmlTable	Converts JSON objects to HTML tables.
JSONDiff	compares two JSON files and returns their differences, such as added, removed, or changed fields, in a structured format.
JSONFeedApiModule	Common code that will be appended into each JSON Feed integration when it's deployed.
JSONFileToCSV	Script to convert a War Room output JSON File to a CSV file.
JSONtoCSV	Convert a JSON War Room output via EntryID to a CSV file.
JsonToTable	Accepts a json object and returns a markdown. Supports clickable links.
JsonUnescape	Recursively un-escapes JSON data if escaped JSON is found
KeylightCreateIssue	Use this script to simplify the process of creating or updating a record in Keylight (v2). You specify custom arguments for which to populate the components. The arguments in this documentation are meant as examples only.
KillProcessWrapper	A cross-vendor wrapper script that triggers a ‘process kill’ command - i.e executes the proper kill process command according to the vendor: CrowdstrikeFalcon or Cortex XDR. The script will only fail when the kill process action fails for both vendors.
LanguageDetect	Language detection based on Google's language-detection.
LastArrayElement	Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.
LCMAcknowledgeHost	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMDetectedEntities	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMDetectedIndicators	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMHosts	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMIndicatorsForEntity	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMPathFinderScanHost	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMResolveHost	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LCMSetHostComment	Deprecated. This script is deprecated. LightCyber Magna is no longer available.
LessThanPercentage	Checks if one percentage is less than another Returns less: if firstPercentage < secondPercentage Returns more: if firstPercentage >= secondPercentage Returns exception if one of the inputs is not a float
LinkIncidentsButton	Incident action button script to link or unlink Incidents from an Incident
LinkIncidentsWithRetry	Use this script to avoid DB version errors when simultaneously running multiple linked incidents.
LinkToPhishingCampaign	Links a Phishing incident to its related Phishing Campaign incident.
ListDeviceEvents	List all of the events discovered within your enterprise on a particular device within 2 hours earlier than the current time.
listExecutedCommands	Lists executed commands in War Room
ListGroupBy	Deprecated. No available replacement.
ListInstalledContentPacks	This script will show all installed content packs and whether they have an update.
ListPlaybookAutomationsCommands	Check Upgrade and Display Changes.
ListUsedDockerImages	List all Docker images that are in use by the installed integrations and automations.
LoadJSON	Loads a json from string input, and returns a json object result.
LoadJSONFileToContext	Loads a JSON file from the war room to context.
LookupCSV	Parses a CSV and looks for a specific value in a specific column, returning a dict of the entire matching row. If no column value is specified, the entire CSV is read into the context.
LowerCidrNumAddresses	Check if number of availble addresses in IPv4 CIDR is lower than given number.
MakePair	This transformer will create a list of dictionary by aggregating elements from two arrays. The one is given by `value` (with `array1_key`), another is given by `array2` (with `array2_key`).
MaliciousRatioReputation	Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in.
ManageOOOusers	Adds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of office.
MapPattern	This transformer will take in a value and transform it based on multiple condition expressions (wildcard, regex, etc) defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { ".match 1.": "Dest Val1", ".match 2.": "Dest Val2", ".match 3(.)": "\1", "match 4": { "algorithm": "wildcard", "output": "Dest Val4" } } The transformer will return the value matched to a pattern following to the priority. When unmatched or the input value is structured (dict or list), it will simply return the input value.
MapRaDarkIncidentDetails	Map details to an RaDark incident.
MapRangeValues	This script converts an input value into another value using two lists. The input value or range is searched in the first list (map_from). If it exists, the value at the same index from the second list (map_to) is returned. If there is no match, the original value is returned. This script supports mapping from either ranges of float numbers or text strings. Example 1: map_from = "1,2,3,4" map_to = "4,3,2,1" value = 3 Output is "2" Example 2: map_from = "1-3,4" map_to = "5,1" value = 3 Output is "5".
MapValues	Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1
MapValuesTransformer	This script converts the input value into another value using two lists. The input value is searched in the first list (input_values). If it exists, the value from the second list (mapped_values) at the same index is retutrned. If there is no match, the original value is returned. If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value". Example 1: input_values = "1,2,3,4" mapper_values = "4,3,2,1" value = 3 Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" mapper_values = "datathere,datahere" value(dict)= { "firstkey": "datahere" } Output would be: { "firstkey": "datathere" } The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string.
MarkAsEvidenceBySearch	Search entries in the war room for the pattern text, and mark them as evidence.
MarkAsEvidenceByTag	Mark entries as evidence if they are tagged with given tag
MarkAsNoteBySearch	Search entries in the war room for the pattern text, and mark as note to the entries found.
MarkAsNoteByTag	Mark entries as notes if they are tagged with given tag.
MarkdownToHTML	Converts Markdown to HTML.
MarketplacePackInstaller	Deprecated. Use ContentPackInstaller instead.
MarkRelatedIncidents	Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
MatchIPinCIDRIndicators	Deprecated. No available replacement. > Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match).
MatchRegex	Deprecated. Use the MatchRegexV2 script instead.
MatchRegexV2	Extracts regex data from the provided text. The script support groups and looping.
MathUtil	Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument
MattermostAskUser	Ask a user a question on Mattermost and expect a response. The response can also close a task (might be conditional) in a playbook.
MaxList	Gets the maximum value from list e.g. ["25", "10", "25"] => "25"
MergeDictArray	Each entry in an array is merged into the existing array if the keyed-value matches.
MicrosoftApiModule	Common Microsoft code that will be appended into each Microsoft integration when it's deployed
MicrosoftAzureStorageApiModule	Common Microsoft Azure Storage code that will be appended into each Microsoft Azure Storage integration.
MicrosoftGraphMailApiModule	Common Microsoft Graph Mail code that will be appended into the Microsoft Graph Mail integrations when it's deployed.
MicrosoftSentinelConvertAlertsToTable	This script is used to convert alerts to a table.
MicrosoftSentinelConvertCommentsToTable	This script is used to convert comments to a table.
MicrosoftSentinelConvertEntitiesToTable	This script is used to convert entities to a table.
MicrosoftSentinelConvertRelationsToTable	This script is used to convert relations to a table.
MicrosoftSentinelSetOwner	This script can be run from the War Room or used by a layout to set the Owner field in Microsoft Sentinel.
MicrosoftSentinelSubmitNewComment	Use this script to add a comment which will then be mirrored as a comment to a Sentinal event. This script should be run within an incident.
MicrosoftTeamsAsk	Send a team member or channel a question with predefined response options on Microsoft Teams. The response can be used to close a task (might be conditional) in a playbook.
MimecastFindEmail	Find an email across all mailboxes, and return the list of mailboxes where the email was found, as well as Yes if the mail was found anywhere or No otherwise.
MimecastQuery	Deprecated. Use mimecsat-query command instead.
MinList	Gets the minimum value from list e.g. ["25", "10", "25"] => "10"
MITREIndicatorsByOpenIncidents	Deprecated. Use FeedMitreAttackv2 instead.
MITREIndicatorsByOpenIncidentsV2	This is a widget script returning MITRE indicators information for top indicators shown in incidents.
MITRENameByID_Formatter	Get a MITRE ATT&CK object name by its ID. The script is using TIMs IOCs to find the correct name. (MITRE ATT&CK IOCs must exist in the Threat Intel data).
ModifyDateTime	Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format.
MS365DefenderCountIncidentCategories	Count the categories of alerts in given incident.
MS365DefenderUserListToTable	comment
MSEScoreWidget	This dynamic automation parses the MSE results and presents it in the layout in color according to its score.
MyToDoTasksWidget	A script that creates a table of all the ToDo tasks assigned to the current user.
NCSCReportDetails	This script generates the report details used in the final report. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NCSCReportDetails_A	This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NCSCReportDetails_B	This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NCSCReportDetails_C	This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NCSCReportDetails_D	This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NCSCReportOverview	This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
NetwitnessQuery	Deprecated. No available replacement. Performs a query against the meta database
NetwitnessSAAddEventsToIncident	This command will add new events to an existing NetWitness SA incident.
NetwitnessSACreateIncident	Create an incident inside NetWitness SA from a set of NetWitness events.
NetwitnessSAGetAvailableAssignees	Returns the available NetWitness SA users to be assigned to incidents.
NexposeCreateIncidentsFromAssets	Deprecated. No available replacement. Create incidents based on the Nexpose asset ID and vulnerability ID. Duplicate incidents are not created for the same asset ID and vulnerability ID.
NexposeEmailParser	Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server.
NexposeEmailParserForVuln	Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server.
NexposeVulnExtractor	Parse a specific server nexpose response in to a table of vulnerabilities.
NGINXApiModule	Common NGINX code that will be appended into each NGINX based integration when it's deployed.
NotInContextVerification	Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution.
NumberOfPhishingAttemptPerUser	Shows a bar chart of the number of incident the 'To' and 'From' email addresses. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
OktaApiModule	Common Okta code for all Okta-related integrations.
Oletools	This is an automation to run oletools malware analysis for office files. Oletools is a tool for analyzing Microsoft OLE2 files, such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics, and debugging. This automation allows performing some basic oletools commands from Cortex XSOAR. Note that oletools is open source code and is subject to change.
OnboardingCleanup	Cleanup the incidents and indicators created by OnboardingIntegration This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
OnionURLReputation	This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators.
OSQueryBasicQuery	Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at https://osquery.readthedocs.io/
OSQueryLoggedInUsers	Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.
OSQueryOpenSockets	Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.
OSQueryProcesses	Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.
OSQueryUsers	Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.
Osxcollector	Execute osxcollector on machine, can run ONLY on OSX
OutOfOfficeListCleanup	Removes any users from the out-of-office list whose 'off until day' is in the past.
PadZeros	Adds zeros (0) to the beginning of the string, until the string reaches the specified length.
PagerDutyAlertOnIncident	Send incident details to pagerduty (useful to include in playbooks)
PagerDutyAssignOnCallUser	By default assigns the first on-call user to an investigation (all incidents in the investigation will be owned by the on call user)
PanoramaCVECoverage	Check coverage given a list of CVEs.
PanoramaSecurityPolicyMatchWrapper	A wrapper script for the panorama-security-policy-match command that receives multiple values for the source, destination, and destination port arguments and performs the policy match for each combination of the inputs.
PanwIndicatorCreateQueries	The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.
ParseCSV	This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context.
ParseEmailFiles	Deprecated. Use ParseEmailFilesV2 instead." Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.
ParseEmailFilesV2	Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info.
ParseExcel	The automation takes Excel file (entryID) as an input and parses its content to the war room and context.
ParseHTMLIndicators	This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions.
ParseHTMLTables	Find tables inside HTML and extract the contents into objects using the following logic: - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value - If table has a header row, create a table of objects where attribute names are the headers - If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3...
ParseJSON	Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}.
ParseWordDoc	Takes an input docx file (entryID) as an input and saves an output text file (file entry) with the original file's contents.
ParseYAML	Parses a YAML string into context.
PcapConvert	Convert packet data to the standard pcap. Currently it only supports CDL(NGFW) pcap from which to convert.
PcapExtractStreams	Extract payloads of each stream from a pcap. The payloads will be retrieved with an array of dictionaries of these keys: - protocol - client_ip - client_port - server_ip - server_port - stream_size - stream_text - stream_base64 - outgoing_size - outgoing_text - outgoing_base64 - incoming_size - incoming_text - incoming_base64.
PcapFileExtractor	This automation extracts all possible files from a PCAP file.
PcapFileExtractStreams	Extract payloads of each stream from a pcap file.
PcapHTTPExtractor	Allows to parse and extract http flows (requests & responses) from a pcap/pcapng file.
PCAPMiner	Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="<your_entry_id>". To get the entry id click on the link on the top right hand corner of a file attachment.
PcapMinerV2	PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either: a) Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller. b) Copy the automation and change the `default timeout` parameter to match your needs.
PCComputeContainerComplianceIssuesButton	This script runs the "prisma-cloud-compute-container-scan-results-list" command for a specific container ID and returns details about its compliance issues, if found. If any compliance issues found, it will create a new tab in the layout called "Detailed Compliance Issues" showing the issues details. Returns the following fields for each compliance ID: - Compliance ID - Cause - Severity - Title - Description.
PCComputeHostComplianceIssuesButton	This script runs the "prisma-cloud-compute-hosts-scan-list" command for a specific hostname and returns details about its compliance issues, if found. If any compliance issues found, it will create a new tab in the layout called "Detailed Compliance Issues" showing the issues details. Returns the following fields for each compliance ID: - Compliance ID - Cause - Severity - Title - Description.
PCComputeImageComplianceIssuesButton	This script runs the "prisma-cloud-compute-images-scan-list" command for a specific container ID and returns details about its compliance issues, if found. If any compliance issues found, it will create a new tab in the layout called "Detailed Compliance Issues" showing the issues details. Returns the following fields for each compliance ID: - Compliance ID - Cause - Severity - Title - Description.
PDFUnlocker	Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF.
PenfieldAssign	PenfieldAssign will use the Penfield.AI integration's penfield-get-assignee command to determine who an incident should be assigned to, then print the selected analyst to the War Room and overwrite the owner property.
PerformActionOnCampaignIncidents	Perform user actions such as link, close, etc., on selected incidents from a campaign. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
PFXAnalyzer	This script is designed to analyze a PFX (Personal Information Exchange) file for various suspicious or noteworthy characteristics from a security perspective.
PHash	Script to create a perceptual hash of an image (or file) stored in the incident. Wrapps https://pypi.org/project/ImageHash/
Ping	Pings an IP or url address, to verify it's up. Note - On Cortex XSOAR 8 and Cortex XSIAM, the script can run only on a custom engine.
PopulateCriticalAssets	Populates critical assets in a grid field that has the section headers "Asset Type" and "Asset Name".
PortListenCheck	Checks whether a port was open on given host.
PositiveDetectionsVSDetectionEngines	Shows a bar chart of the number of Positive Detections out of overall detections
PrepareArcannaRawJson	Deprecated. No available replacement.
PreprocessEmail	Preprocessing script for email communication layout. This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread". This script runs with elevated permissions. Cortex XSOAR recommends using the built-in RBAC functionality to limit access to only those users requiring access to this script. For more information about the preprocessing rules, refer to: https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing
PreProcessImage	This script pre-processes (resizes, sharpens, and grayscales) an image file from context, given an entry_id.
PrettyPrint	Pretty-print data using Python's pprint library. This is useful for seeing the structure of incident and context data. Here's how to use it: !PrettyPrint value=${incident}
Print	Prints text to war room (Markdown supported)
PrintContext	Pretty-print the contents of the playbook context.
PrintErrorEntry	Prints an error entry with a given message.
PrintRaw	Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression.
PrintToAlert	Prints a value to the specified alert's war-room. The alert must be in status "Under Investigation".
PrintToIncident	Prints a value to the specified incident's war-room.
PrintToParentIncident	Prints a value to the parent incident's war-room of the current alert.
PrismaCloudAttribution	Recursively extracts specified fields from provided list of assets for Prisma Cloud attribution use case.
PrismaCloudComputeComplianceTable	Iterate over EnrichedComplianceIssue information in the context data and add the important keys to a table under PrismaCloudCompute.ComplianceTable or a provided grid id.
PrismaCloudComputeParseCloudDiscoveryAlert	Parse Cloud Discovery alert raw JSON data.
PrismaCloudComputeParseComplianceAlert	Parse Compliance alert raw JSON data.
PrismaCloudComputeParseVulnerabilityAlert	Parse Vulnerability alert raw JSON data.
PrismaCloudLocalTrustedImagesListUpdate	Takes the results of "prisma-cloud-compute-images-scan-list" and "prisma-cloud-ci-scan-results-list" commands and creates or updates a list of trusted images which can be used for updating the "Trusted Images" list in Prisma Cloud, using the PrismaCloudRemoteTrustedImagesListUpdate automation.
PrismaCloudRemoteTrustedImagesListUpdate	Gets the existing "Trusted Images" results from Prisma Cloud Compute and updates the relevant trust group with the images stored in the given internal list.
ProductJoin	Returns the product of two lists, joined by a separator, as a list of strings.
ProofpointTAPMostAttackedUsers	Exports a list of Proofpoint TAP most attacked users to the Cortex XSOAR widget.
ProofpointTapTopClickers	Exports a list of Proofpoint TAP top clickers to the Cortex XSOAR widget.
ProvidesCommand	Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Core REST API" integration must first be enabled.
PTEnrich	Deprecated. No available replacement. Enrich the given IP or domain with metadata, malware, osint.
PublishEntriesToContext	Publish entries to incident's context
PublishThreatIntelReport	Sets a Threat Intel Report as published.
PWEventPcapDownload	Deprecated. No available replacement.
PWObservationPcapDownload	Deprecated. No available replacement.
QRadarCreateAQLQuery	Build QRadar AQL Query.
QRadarFetchedEventsSum	This display the amount of fetched events vs the total amount of events in the offense.
QRadarMagnitude	This enables to color the field according to the magnitude. The scale is 1-3 green 4-7 yellow 8-10 red.
QRadarMirroringEventsStatus	This displays the mirrored events status in the offense.
QRadarPrintAssets	This script prints the assets fetched from the offense in a table format.
QRadarPrintEvents	This script prints the events fetched from the offense in a table format.
qrcodereader	Decodes an QR Code offline using opencv, returns the value to Context or False.
QualysCreateIncidentFromReport	Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID). Duplicate incidents are not created for the same asset ID and QID.
RandomElementFromList	randomly select elements from a list in Python
RandomPhotoNasa	This automation script will pull a random image from https://images.nasa.gov based on the search parameter provided. If the script is used within a widget, it will output an image in markdown format. If it is used anywhere else it will output an image in markdown format and also context data.
RankServiceOwners	Recommend most likely service owners from those surfaced by Cortex ASM Enrichment.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RasterizeImageOriginal
RasterizeImageSuspicious
RCSScan	This script starts an RCS scan and sets the scan ID in context.
ReadFile	Load the contents of a file into context.
ReadNetstatFile	Load and return the processes file (generated from the cs-falcon-rtr-list-network-stats command) content.
ReadNetstatFileWrapper	This Automation is a wrapper - If the CrowdStrike key is present in context, ReadNetstatFile will be executed and displayed. Else, 'No data on Netstat found' will be displayed.
ReadPDFFileV2	Load a PDF file's content and metadata into context. Supports extraction of hashes, urls, and emails when available.
ReadProcessesFile	Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content.
ReadProcessesFileXDR	Return a process list from the XDRIR integration.
ReadProcessFileWrapper	This Automation is a wrapper - If PaloAltoNetworksXDR is in context - ReadProcessesFileXDR will be executed and displayed. if CrowdStrike is in context - ReadProcessesFile will be executed and displayed. else 'No data on Process List found' will be displayed.
ReadQRCode	Extracts the text from a QR code. The output of this script includes the output of the script "extractIndicators" run on the text extracted from the QR code.
RecordedFutureDomainRiskList	Deprecated. Use Recorded Future v2 instead.
RecordedFutureHashRiskList	Deprecated. Use Recorded Future v2 instead.
RecordedFutureIPRiskList	Deprecated. Use Recorded Future v2 instead.
RecordedFutureURLRiskList	Deprecated. Use Recorded Future v2 instead.
RecordedFutureVulnerabilityRiskList	Deprecated. Use Recorded Future v2 instead.
redactindicator	Redactindicator can help you to defang/redact any kind of indicator (IPv4, url, domain and email), IP addresses will be in the dotted representation like 8.8.8[.].8, all domains will be example[.]com. Optional you can define a "searchkey" which does not to be case sensitive, which will be replaced as <REDACTED>.
RegexExpand	Extract the strings matched to the patterns by doing backslash substitution on the template string. This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters.
RegexExtractAll	Extraction of all matches from a specified regular expression pattern from a provided string. Returns an array of results. This differs from RegexGroups in several ways: It returns all matches of the specified pattern, not just specific groups. This is useful for extracting things using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. Some "convenience" arguments have been added to enhance usability: multi-line, ignore_case, period_matches_newline Added a new argument, "error_if_no_match". The script will not ordinarily throw an error if a match is not found but if not using as a transformer within a playbook, it may, in certain limited circumstances, be desirable to throw an error if the expression doesn't match. It uses the 'regex' library, which supports more some more advanced regex functionality than the standard 're' library. For more info, see https://pypi.org/project/regex/.
RegexReplace	Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: value: user=john regex: user=(.) output_format: name=\1 -> output value: name=john Example 2: value: xxx=yyy regex: user=(.) output_format: name=\1 -> output value: xxx=yyy
RegistryParse	This command uses the Registry Parse automation to extract critical forensics data from a registry file. The essential values are specified by the argument.
RegPathReputationBasicLists	Deprecated. No available replacement.
RemediationPathRuleEvaluation	For a given alert and remediation path rules that are defined for that alert's attack surface rule, this script takes each remediation path rule and looks at the rule criteria to see if the rule matches for the given alert. If multiple rules match, it will return the most recently created rule. This assumes that the rules passed in are filtered to correlate with the alert's attack surface rule.
RemoteExec	Execute a command on a remote machine (without installing a D2 agent)
RemoveEmpty	Remove empty items, entries or nodes from the array.
RemoveEmptyEvidence	The automation removes evidence based on a query performed on the evidence content, if the provided string is found within the evidence- it will be removed.
RemoveFileWrapper	This script allows removing specified files using Cortex XDR, CrowdStrike and Microsoft Defender (Advanced Threat Protection).
RemoveKeyFromList	Removes a key in key/value store backed by an XSOAR list.
RemoveMatches	Removes items from the given list of values if they match any of the patterns in the provided `filters`. If the match_exact argument is 'yes', direct string compare is used, otherwise the comparison is done using regex.
ReplaceMatchGroup	Returns a string with all matches of a regex pattern groups replaced by a replacement.
RepopulateFiles	After running DeleteContext, this script can repopulate all the file entries in the ${File} context key
ResolveGemAlert	Post Processing Script that will resolve the relevant Threat in the Gem platform.
ResolveShortenedURL	This script resolves the original URL from a given shortened URL and places the resolved URL in the playbook context and output.
RestartFailedTasks	Use this Script to re-run failed tasks. Run in the same incident after running `GetFailedTasks` for restarting all of the failed tasks or some of them.
RetrievePlaybookDependencies	Retrieves all Playbook (and Sub-Playbook) Names, Integrations, Automation Scripts, Commands not using-brand, and lists for a provided Playbook name. Also accepts inputs for incident types, layouts, incident fields, indicator fields, jobs, mappers, and pre-process rules connected to the parent playbook. Results can be output as an HTML or Markdown list.
RetrievePlaybooksAndIntegrations	Deprecated. Use RetrievePlaybookDependencies instead. Retrieves all Playbook (and Sub-Playbook) Names and Integrations for a provided Playbook name
ReverseList	Reverse a list e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"] This is an example for entire-list transformer - it operates the argument as a list (note the "entirelist" tag).
RiskIQDigitalFootprintAssetDetailsWidgetScript	Shows the detailed information of an asset identified as a "RiskIQAsset" type of indicator in the layout of the indicator.
RiskIQPassiveTotalComponentsScript	Enhancement script to enrich PassiveTotal components for Domain and IP type of indicators.
RiskIQPassiveTotalComponentsWidgetScript	Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalHostPairChildrenScript	Enhancement script to enrich PassiveTotal host pair of children for Domain and IP type of indicators.
RiskIQPassiveTotalHostPairParentsScript	Enhancement script to enrich PassiveTotal host pair of parents for Domain and IP type of indicators.
RiskIQPassiveTotalHostPairsChildrenWidgetScript	Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalHostPairsParentsWidgetScript	Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalPDNSScript	Enhancement script to enrich PDNS information for Domain and IP type of indicators.
RiskIQPassiveTotalPDNSWidgetScript	Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalSSLForIssuerEmailWidgetScript	Set widgets to custom layout in Email and RiskIQAsset type of indicators.
RiskIQPassiveTotalSSLForSubjectEmailWidgetScript	Set widgets to custom layout in Email and RiskIQAsset type of indicators.
RiskIQPassiveTotalSSLScript	Enhancement script to enrich SSL information for Email, File SHA-1 and RiskIQSerialNumber type of indicators.
RiskIQPassiveTotalSSLWidgetScript	Set widgets to custom layout in Email, RiskIQSerialNumber and File SHA-1 type of indicators.
RiskIQPassiveTotalTrackersScript	Enhancement script to enrich web trackers information for Domain and IP type of indicators.
RiskIQPassiveTotalTrackersWidgetScript	Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators.
RiskIQPassiveTotalWhoisScript	Enhancement script to enrich whois information for Domain and Email type of indicators.
RiskIQPassiveTotalWhoisWidgetScript	Set widgets to custom layout in Domain, Email and RiskIQ Asset type of indicators.
RiskSenseGetRansomewareCVEScript	This script is a helper script of Ransomware Exposure - RiskSense playbook and retrieve information of cves and trending cves from host finding details.
RSA_DisplayMetasEvents	Use this script to display meta events inside the layout.
RSA_GetRawLog	Use this script to get RAW log.
RSSWidget	Script Widget - RSS Feed.
RSSWidget_LC	Script Widget - RSS Feed.
RubrikCDMClusterConnectionState	Shows the Rubrik Radar amount of Files Added.
RubrikRadarFilesAdded	Shows the Rubrik Radar amount of Files Added.
RubrikRadarFilesDeleted	Shows the Rubrik Radar amount of Files Deleted.
RubrikRadarFilesModified	Shows the Rubrik Radar amount of Files Modified.
RubrikSetIncidentSeverityUsingWorkLoadRiskLevel	Script used to set the XSOAR incident severity using the workload data provided from the argument.
RubrikSonarFileHits	Shows the Rubrik Polaris Sonar File Hits Count.
RubrikSonarOpenAccessFileHits	Shows the Rubrik Polaris Sonar Open Access File Hits Count.
RubrikSonarOpenAccessFiles	Shows the Rubrik Polaris Sonar Open Access Files Count.
RubrikSonarSensitiveHits	Shows the Rubrik Polaris Sonar data classification results.
RubrikSonarSetIncidentSeverityUsingUserRiskLevel	Script used to set the incident severity using the risk level(s) provided from the argument.
RubrikSonarTotalHits	Shows the Rubrik Polaris Sonar Total Hits.
RunCPPhishingCampaign	Search other emails by sender and/or subject and quarantine.
RunDockerCommand	This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context.
RunPollingCommand	Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
SalesforceAskUser	Ask a user a question via Salesforce Chatter and process the reply directly into the investigation.
SandboxDetonateFile	Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead.
SanePdfReports	Parse Sane-json-reports and export them as pdf files (used internally).
SbDownload	Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.
SbQuery	Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.
SbQuota	Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.
SbUpload	Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.
ScheduleCommand	Schedule a command to run inside the war room at a future time (once or reoccurring)
ScheduleGenericPolling	Called by the GenericPolling playbook, schedules the polling task.
SCPPullFiles	Take a list of devices and pull a specific file (given by path) from each using SCP.
script-JiraChangeTransition	This script applies the transition supplied by the user from the Jira Transitions incident field. It gets the new Jira status after applying the transition and updates the Cortex XSOAR incident status.
script-JiraListTransition	This script lists all possible transitions for a given Jira issue.
SearchIncidentsSummary	Searches Cortex XSOAR Incidents and returnrs the most relevant fields. Default search range is the last 30 days, if you want to change this, use the fromDate argument. Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.
SearchIncidentsV2	Searches Demisto incidents. A summarized version of this scrips is available with the summarizedversion argument. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
SearchIndicator	Searches Cortex XSOAR Indicators. Search for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict. You can add additional fields from the indicators using the add_field_to_context argument.
SearchIndicatorInEvents	Searches for a specific indicator in the tenant's event and log data, and extracts the logs the indicator appears in.
SearchIndicatorRelationships	This automation outputs the indicator relationships to context according to the provided query, using the entities, entityTypes, and relationships arguments. All arguments will use the AND operator. For example, using the following arguments entities=8.8.8.8 entities_types=Domain will provide only relationships that the 8.8.8.8 indicator has with indicators of type domain.
SecuronixCloseHistoricalXSOARIncidents	Close historical XSOAR incidents that are already closed on Securonix. NOTE: This script will close all the XSOAR incidents which are created from Securonix integration and does not have incident type as "Securonix Incident" in the provided time frame.
SecuronixGetViolations	Gets a list of violations related to a specific threat from the context data and displays it in the layout.
SekoiaXDRAddComment	Script to add a comment to an alert in Sekoia, including the name of the person who made the comment.
SekoiaXDRChangeStatus	This script changes the status of the Sekoia alert.
SekoiaXDRPrintAssets	Print all assets by incident.
SekoiaXDRPrintCase	Prints case details from the Sekoia alert.
SekoiaXDRPrintComments	Prints the comments fetched from the Sekoia alert in a table format.
SendAllPANWIoTAssetsToSIEM	Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server.
SendAllPANWIoTDevicesToCiscoISE	Gets all available devices from the IoT cloud and updates or creates them on Cisco ISE using the custom attributes.
SendAllPANWIoTDevicesToServiceNow	Gets all available devices from the IoT cloud and sends them to the ServiceNow. server
SendCPAction	Send quarantine or restore action and update action task id.
SendEmailOnSLABreach	Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode.
SendEmailReply	Send email reply This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
SendEmailToCampaignRecipients	Send email to all recipients from the selected campaign incidents.
SendEmailToManager	Send an approval email to the manager of the employee with the given email allowing the manager to reply directly into the incident.
SendMessageToOnlineUsers	Send message to Demisto online users over Email, Slack, Mattermost or all.
SendPANWIoTDevicesToCiscoISE	This script takes (as a required argument) custom attributes from PANW IoT cloud and creates or updates endpoints in ISE with the input custom attributes. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
SEPCheckOutdatedEndpoints	Check if any endpoints are using an AV definition that is not the latest version.
ServerLogs	Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X).
ServerLogs_docker	Uses the ssh integration to grab the host server logs. This script is supported only on Cortex XSOAR on-prem (version 6.X).
ServiceNowApiModule	Common ServiceNow code that will be appended to each ServiceNow integration when it is deployed to automatically enable OAuth2 authentication.
ServiceNowCreateIncident	This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily.
ServiceNowIncidentStatus	populates the value of the ServiceNow Ticket State field and display it in a layout widget.
ServiceNowQueryIncident	This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily.
ServiceNowTroubleshoot	Troubleshot ServiceNow v2 integration by displaying health information of enabled instances and old and active incidents of disabled instances.
ServiceNowUpdateIncident	This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily.
Set	Set a value in context under the key you entered.
SetAndHandleEmpty	Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
SetByIncidentId	Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
SetDateField	Sets a custom incident field with current date
SetGridField	Creates a Grid table from items or key-value pairs.
SetIfEmpty	Checks an object for an empty value and returns a pre-set default value.
SetIndicatorGridField	This script updates an indicator's grid field in Cortex XSOAR with provided row data. You can input the rows directly or extract them from the context.
SetIndicatorTableData	Sets Data for a Domain in the Indicator Table.
SetIRProceduresMarkdown	Creates markdown tables based on information from the GetTasksWithSection command.
SetMultipleValues	Set multiple keys/values to the context.
SetPhishingCampaignDetails	Copying EmailCampaign context from current incident to other existing incident. This script runs with elevated permissions. Cortex XSOAR recommends using the built-in RBAC functionality to limit access to only those users requiring access to this script.
SetRDPOverallScore	Sets the overall score for the strings similarity scoring for the text extracted from the RDP cache image.
SetRSANetWitnessAlertsMD	This automation takes several alert fields from the RSA NetWitness alerts context and displays them as markdown in the layout.
SetSeverityByScore	Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments.
SetTagsBySearch	Search entries in the war room for the pattern text, and set tags to the entries found.
SetThreatVaultIncidentMarkdownRepresentation	This automation takes several Incident fields from the Threat Vault incident context and displays them as markdown in the layout.
SetTime	Fill the current time in a custom incident field
SetWithTemplate	Set a value built by a template in context under the key you entered.
ShowCampaignHighestSeverity	Displays the highest severity among the incidents that make up the phishing campaign.
ShowCampaignIncidentsOwners	Displays all the campaign incident owners and their quantity. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
ShowCampaignLastIncidentOccurred	Displays the occurrence date of the last campaign incident.
ShowCampaignRecipients	Displays the phishing campaign recipients' email addresses and the number of incidents each email address appears in.
ShowCampaignSenders	Displays the phishing campaign senders' email addresses and the number of incidents each email address appears in.
ShowCampaignSimilarityRange	Displays the similarity range between the incidents that make up the phishing campaign.
ShowCampaignUniqueRecipients	Displays the number of unique recipients of an email campaign.
ShowCampaignUniqueSenders	Displays the number of unique senders of an email campaign.
ShowCPEmailInfo	Get email info from Check Point Smart API.
ShowCPScanInfo	Get scan info from Check Point Smart API.
ShowIncidentIndicators	This script is used to display the indicators of an incident in an incident field of type Array. It can be used to select indicators from the incident in order to later perform some actions, like tagging the indicators for blocking via EDL. This script is a field-display script, so it needs to be configured as such, when editing the incident field that will be used to display the indicators.
ShowLocationOnMap	Show indicator geo location on map.
ShowNumberOfCampaignIncidents	Displays the number of phishing incidents that make up the phishing campaign.
ShowOnMap	Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance).
ShowScheduledEntries	Show all scheduled entries for specific incident.
SiemApiModule	Helpers and iteration logic using pydantic for Siem apps.
sigma-button-convert
SigmaConverttoQuery	Allows converting a Sigma Rule indicator into a SIEM query.
SimpleDebugger	SimpleDebugger is a python class definition appended to CommonServerUserPython and dynamically included in every automation by the XSOAR automation execution environment. It is for debugging custom python automations in XSOAR. You can visually trace code execution, set breakpoints, step through the code, display local variables, and profile execution times of python functions.
SixgillSearchIndicators	Search for Indicators
SlackAsk	Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
SlackAskV2	Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook. Note: a message maximum length is 3000 characters enforced by Slack API.
SlackBlockBuilder	SlackBlockBuilder will format a given Slack block into a format readable by the SlackV3 integration. The script will also send the block to the given destination. Make sure to mark Trust any certificate and fill the XSOAR API Key integration parameters if you want to get a response to the incident context.
Sleep	Sleep for X seconds.
SnmpDetection	Deprecated. No available replacement.
SortBy	This transformer will sort an array of dictionary values by keys in ascending or descending order.
SplitCampaignContext	Splits incidents in the context data to below and above a similarity threshold. If a low similarity incident was already added to the campaign, then it will also be considered in the higher similarity incidents list. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
Splunk_ShortID	Create Splunk Notable Event Short ID.
SplunkAddComment	Use this script to add a comment with a tag (the "Comment tag to Splunk" defined in the instance configuration) as an entry in Cortex XSOAR, which will then be mirrored as a comment to a Splunk issue. This script should be run within an incident.
SplunkCIMFields	Convert Splunk CIM Fields Dynamic Into Fields Value.
SplunkConvertCommentsToTable	This script is used to convert Splunk comments to a table.
SplunkEmailParser	Deprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host.
SplunkPySearch	Deprecated. No available replacement. Run a query through Splunk and format the results as a table.
SplunkShowAsset	Automation to display asset objects from Splunk.
SplunkShowDrilldown	Automation to display drilldown search results from Splunk.
SplunkShowIdentity	Automation to display identity objects from Splunk.
SSDeepReputation	Calculate ssdeep reputation based on similar files (by ssdeep similarity) on the system.
SSDeepSimilarity	This script finds similar files that can be related to each other by fuzzy hash (SSDeep).
SSIMScoreWidget	This dynamic automation parses the SSIM results and presents it in the layout in color according to its score.
SSLVerifierV2	Use this automation to check for validity of your SSL certificate and get the time until expiration.
SSLVerifierV2_GenerateEmailBody	Generates the HTML needed for a formatted email to be sent using the outputs of !SSLVerifierV2, as part of the SSLVerifierV2 content pack.
SSLVerifierV2_ParseOutput	Parses the output from the !SSLVerifierV2 automation into a markdown table and separate context key . This automation uses the SSLVerifierV2 key by default, but a custom context key can be specified in the event extend-context is used with the SSLVerifierV2 automation. Option to specify whether to output certificates with an expiring, warning, or good status (or all at once). Option to specify whether or not to output the generated tables to the war room.
STA-FetchListContent	This script will get the Unusual Activity Group from "sta_unusual_activity_group" List.
STA-PostProcessing	Post processing script to remove the user from the Unusual Activity Group on Close Form.
StaticAnalyze	For phishing incidents, iterate on all attachments and run PE dump on each
StixCreator	Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.1 format.
StixParser	Parse STIX files to Cortex XSOAR indicators by clicking the Upload STIX File button.
StopScheduledTask	This stops the scheduled task whose ID is given in the taskID argument.
StopTimeToAssignOnOwnerChange	Stops the "Time To Assign" timer if the owner of the incident was changed.
StringContainsArray	Checks whether a substring or an array of substrings is within a string array(each item will be checked). Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true.
StringifyArray	Return the string encoded with JSON from the whole array
StringLength	Returns the length of the string passed as argument
StringReplace	Replaces regex match/es in string. Returns the string after replace was preformed.
Strings	Extract strings from a file with optional filter - similar to binutils strings command
StringSifter	This script runs the StringSifter ML tool for malware analysis and ranking of words. You can enter an entryID or string_text as input.
StringSimilarity	This automation calculates the similarity ratio between every string in 2 different arrays and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
StringToArray	Converts string to array. For example: `http://example.com/?score:1,4,time:55\` will be transformed to `["http://example.com/?score:1,4,time:55"]`.
StripAccentMarksFromString	Strip accent marks (diacritics) from a given string. For example: "Niño שָׁלוֹם Montréal اَلسَّلَامُ عَلَيْكُمْ‎" Will return: "Nino שלום Montreal السلام عليكم"
StripChars	Strip set of characters from prefix and/or suffix e.g. StripChar value=~!!~www.mydomain.com~!~!~ chars=!~ will return www.mydomain.com
SuggestBranchName	The script gets the pack name as input and suggests an available branch name, for example: pack name is "MyPack" the branch name will be "MyPack". If a branch with the name "MyPack" exists, the script return "MyPack_1".
SumList	Sums a List e.g. ["25", "10", "25"] => "60" This is an example for number transformer.
SummarizeEmailThreads	Dynamic-section script for 'Email Threads' layout. This script searches for email threads stored in the Incident context and outputs a table summarizing them.
TagIndicatorButton	This is a wrapper around the setIndicators script.
TaniumFilterComputersByIndexQueryFileDetails	Deprecated. Use tn-ask-question instead.
TAXII2ApiModule	Common TAXII 2 code that will be appended into each TAXII 2 integration when it's deployed.
TextFromHTML	Extract regular text from the given HTML.
ThreatIntelManagementGetIncidentsPerFeed	Total number of incidents per OOTB feed. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
ThreatstreamBuildIocImportJson	Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.
ThreeDigitAlphaCountryCodeToCountryName	Script for converting country names based on 3 letter Alpha codes.
ticksToTime	Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft.
TimeComponents	Takes a date or time input and get time components in a specific time zone. Returns a dictionary with the following components. - year - year_4_digit - month - month_3_letter - month_full_name - month_2_digit - day - day_2_digit - day_of_week (Sun:0, Sat:6) - day_of_week_3_letter - day_of_week_full_name - day_of_year - day_of_year_3_digit - hour - hour_12_clock - hour_2_digit_24_clock - hour_2_digit_12_clock - hour_of_day - minute - minute_2_digit - minute_of_day - second - second_2_digit - second_of_day - millisecond - period_12_clock - time_zone_hhmm - time_zone_offset - time_zone_abbreviations - unix_epoch_time - iso_8601 - y-m-d - yyyy-mm-dd - hⓂ️s - HⓂ️s - hh:mm:ss - HH:mm:ss.
TimersOnOwnerChange	Stops the "Time To Assignment" timer once an owner is assigned to the Incident Starts the "Remediation SLA' timer once an owner is assigned to the Incident
TimeStampCompare	Compares a single timestamp to a list of timestamps.
TimeStampToDate	Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z'
TimeToNextShift	Retrieves the time left until the next shift begins.
TopMaliciousRatioIndicators	Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in.
ToTable	Convert an array to a nice table display. Usually, from the context.
TransformIndicatorToCSFalconIOC	Transform an indicator in Cortex into a CrowdStrike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CrowdStrike Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command.
TransformIndicatorToMSDefenderIOC	Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command.
TrendmicroAlertStatus	Deprecated. No available replacement.
TrendmicroAntiMalwareEventRetrieve	Deprecated. No available replacement.
TrendMicroClassifier	Deprecated. No available replacement.
TrendMicroGetHostID	Deprecated. No available replacement.
TrendMicroGetPolicyID	Deprecated. No available replacement.
TrendmicroHostAntimalwareScan	Deprecated. No available replacement.
TrendmicroHostRetrieveAll	Deprecated. No available replacement.
TrendmicroSecurityProfileAssignToHost	Deprecated. No available replacement.
TrendmicroSecurityProfileRetrieveAll	Deprecated. No available replacement.
TrendmicroSystemEventRetrieve	Deprecated. No available replacement.
TroubleshootAggregateResults	Collects all results from previous tasks. (Available from Cortex XSOAR 5.0.0.)
TroubleshootCloseAlertsByQuery	Closes alerts by receiving a list of alert IDs and executing the closure process for each.
TroubleshootExecuteCommand	Executes a command in Cortex XSOAR in debug mode and pulls logs from the command execution.
TroubleshootExecutePlaybookByAlertQuery	Retrieves alerts based on a given query and filter arguments. It provides two operational modes: 1. Trigger Associated Playbooks: If no specific playbook is provided, the script automatically triggers the playbook that is individually associated with each alert found. 2. Override Playbook: If a specific playbook ID or name is provided, the script overrides the default playbooks of all matching alerts and uniformly applies the specified playbook to each one. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
TroubleshootGetCommandandArgs	Gets a command with its arguments, validates the command and the arguments, and then parses it to use in the Cortex XSOAR context.
TroubleshootGetInstanceParameters	Gets an instance's configuration parameters in order to troubleshoot the instance.
TroubleshootInstanceField	Populates the InstanceName field with active instances.
TroubleshootIsDockerImageExists	Gets a Docker image and checks if it exists on the machine running Cortex XSOAR.
TroubleshootTestInstance	Click the "Test" button and return if the test failed.
UnEscapeIPs	Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1
UnEscapeURLs	Extract URLs redirected by security tools like Proofpoint. Changes https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> https://example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com
UnitTest	Provides for automated testing of automations, playbooks, and sub-playbooks.
UnitTestCase
UnitTestCasePrep
UnitTestLoadContextList
UnitTestLoadFieldsList
UnitTestPlaybookAnalyzer	Profiles execution time of tasks in a playbook or sub-playbook (if specified). Provides minimum, maximum, and average task execution times in milliseconds as well as the state of each task: completed, error, notexecuted, started, and waiting.
UnitTestResults
UnPackFile	Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)
UnpublishThreatIntelReport	Sets a Threat Intel Report as unpublished.
UnzipFile	Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context.
UnzipGZFile	Unzip a gz file and upload to war room
UpdateSecuronixIncidentStatus	Update the status of the Securonix incident using the configuration provided in integration configuration.
UpgradeCheck	Check content pack upgrade impacts and display changes. Packs argument is comma separated list of content pack names, or blank for all content packs to assess.
UploadFile	Copies a file from this incident to the specified incident. The file is recorded as an entry in the specified incident’s War Room.
URLDecode	Converts https:%2F%2Fexample.com into https://example.com
URLEncode	Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.
URLNumberOfAds	Fetches the numbers of ads in the given url.
URLReputation	A context script for URL entities.
UrlscanGetHttpTransactions	Deprecated. No available replacement.
URLSSLVerification	Verify URL SSL certificate.
UserEnrichAD	Deprecated. Use ADGetUser instead.
UtilAnyResults	Utility script to use in playbooks - returns "yes" if the input is non-empty.
ValidateContent	Runs validation and linting using the Demisto SDK on content items, such as integrations, automations and content packs. This automation script is used as part of the content validation that runs as part of the contribution flow.
varonis-alert-post-processing	Varonis alert post processing script to set the alert status to closed when an incident is closed.
VectraDetectAddNotesInLayouts	This script allows to add Entity notes in the layout.
VectraDetectCloseDuplicateIncidents	This script closes duplicate incidents in XSOAR while resolving the assignment for the corresponding Vectra entity.
VectraDetectDisplayDetections	This script enables the display of detection details, available in the context, in the form of a markdown table.
VectraXDRAddNotesInLayout	This script allows to add Entity notes in the layout.
VectraXDRDisplayEntityDetections	This script enables the display of detection details, available in the context, in the form of a markdown table.
VectraXDRSyncEntityAssignment	Sync Entity Assignment details from the Vectra platform.
VectraXDRSyncEntityDetections	Sync Entity detection details from the Vectra platform.
VerdictResult	This widget displays the incident verdict or the alert verdict based on the 'incident.verdict' or 'alert.verdict' field.
VerifyCIDR	Verify that the CIDRs are valid.
VerifyEnoughIncidents	Check whether a given query returns enough incidents.
VerifyHumanReadableContains	Verify given entry contains a string
VerifyIntegrationHealth	Checks for existing errors in a given integration.
VerifyIPv4Indicator	Verify that the address is a valid IPv4 address.
VerifyIPv6Indicator	Verify that the address is a valid IPv6 address.
VerifyJSON	Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
VerifyObjectFieldsList	Verifies that a given object includes all the given fields.
VersionEqualTo	Tests whether left side version number is equal to right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0
VersionGreaterThan	Tests whether left side version number is greater than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0
VersionLessThan	Tests whether left side version number is less than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0
VolApihooks	Volatility script for command apihooks
Volatility	Deprecated. No available replacement.
VolConnscan	Volatility script for command connscan
VolDlllist	Volatility script for command ldrmodules
VolGetProcWithMalNetConn	Volatility script for getting the list of processes that have connections to ip address with bad reputation.
VolImageinfo	Volatility script for command imageinfo
VolJson	Execute volatility with command and file as parameters and return output as json.
VolLDRModules	Volatility script for command ldrmodules
VolMalfind	Volatility script for command ldrmodules
VolMalfindDumpAgent	Volatility script for command ldrmodules
VolNetworkConnections	Volatility script for finding all the network connections. This script runs through different commands based on the profile provided.
VolPSList	Volatility script for command pslist
VolRaw	Execute volatility with command and file as parameters and returns raw output from stdout.
VolRunCmds	Execute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command.
WaitAndCompleteTask	Wait and complete tasks by given status. Used for test playbooks.
WaitForKey	A simple loop to inspect the context for a specific key. If the key is not found after "iterations" loops, the script exits with a message.
WebScraper	An Automation Script to Web Scrap a URL or HTML Page.
WhereFieldEquals	Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments: - value=[{ "name": "192.1,0.82", "type": "IP" }, { "name": "myFile.txt", "type": "File" }, { "name": "172.0.0.2", "type": "IP" }] - field='type' - equalTo='IP' - getField='name' Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'].
XBInfo	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XBLockouts	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XBNotable	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XBTimeline	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XBTriggeredRules	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XBUser	Deprecated. This script is deprecated. Use the Exabeam integration instead.
XCloudAdditionalAlertInformationWidget	This script retrieves additional original alert information from the context.
XCloudIdentitiesWidget	This script retrieves the identity fields from the incident context.
XCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.
XCloudRegionsPieWidget	XCLOUD dynamic section, showing the top ten regions types in a pie chart.
XCloudRelatedAlertsWidget	This script retrieves additional original alert information from the context.
XCloudResourcesPieWidget	XCLOUD dynamic section, showing the top ten resource types in a pie chart.
XDRConnectedEndpoints	The widget returns the number of the connected endpoints using xdr-get-endpoints command.
XDRDisconnectedEndpoints	The widget returns the number of the disconnected endpoints using xdr-get-endpoints command.
XMetrics
XMetricsTotal
XMetricsYear
XQLDSHelper
xsoar-ws-parse-context	To parse the context data after running xsoar-ws-get-action-status and resend emails to recipients who have not responded
XSOARAllEDLCheckerAutomation	Runs the xsoaredlchecker-get-edl command for all configured instances, and returns a consolidated output.
XSOARValueMetrics	Collects metrics for a time window and the top 20 incident types in that period. Creates a small CSV with four tables 1) All Incidents 2) Closed Incidents 3) Open Duration 4) SLA timer durations. The time window is expected to be a complete month specified by the "firstday" and "lastday" arguments. If partial months are used, the open durations and SLA metrics is the average of the last set of incidents found, while incident counts are incremented. The "slatimers" argument is a CSV list of custom SLA timer fields to include in the metrics. Example: slatimers="customsla1,customsla2,customsla3" The "filters" argument is a CSV list thats support the following field names to filter incidents on: status, notstatus, type, severity, owner: "severity" values are: unknown, information, low, medium, high, critical "status or notstatus" values are: pending, active, done, archive "type" is the name of a single incident type "owner" is the name of a single incident owner Example: filters ="type=typea,status=done,severity=high" If the "query" parameter is passed, the "filters" argument is ignored. The "query" parameter is a Lucene/Bleve search string in the incidents search box. The "query" string is used to select which incidents - do not specify any dates. These are controlled by the "firstday" and "lastday" parameters. If the "windowstart" and "windowend" parameters are passed with the name of timer fields, the duration is calculated from windowend.endDate - windowstart.startDate for the "UserWindow" SLA metric. The "mode" argument controls saving monthly statistics in this year's XSOAR list (a JSON object) as specified in the "thisyearlist" argument. The default mode is "increment" and expects the time windows for each query to be contiguous with no gaps or overlaps in the time window specified by the "firstday" and "lastday" arguments. If the time windows overlap, then incidents will be double counted. If there are gaps between time windows, then incidents may be missed. If the query needs to run and not update the saved statistics, use "mode=noupdate". In the event a month in the saved statistics becomes corrupted, this is corrected by using "mode=initialize" with the first day and the last day of the month to reset the values. The "computeduration" argument allows the overall incident open duration to be computed from the created and closed dates versus using the openDuration field. Set to "yes" to use computed duration. This is helpful when incidents do not have valid data in the openDuration field.
YaraScan	Performs a Yara scan on the specified files.
ZipFile	Zip a file and upload to war room.
ZipStrings	Joins values from two lists by index according to a given format.
ZoomApiModule	Common Zoom code that provides generic infrastructure, and will be appended to each Zoom integration when it is deployed.
ZoomAsk	Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
ZTAPBuildTimeline	Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline.
ZTAPExtractFields	Extracts ZTAP fields into a format parsable to grab as indicators
ZTAPParseFields	Parses ZTAP event fields to display as key/value pairs in a dynamic table.
ZTAPParseLinks	Parses ZTAP external links to display in a dynamic table.
ZTAPViewTimeline	View notes only relating to ZTAP.

API Reference

Name	Description
Demisto Class	The object exposes a series of API methods which are used to retrieve and send data to the Cortex XSOAR Server.
Common Server Python	Common functions that will be appended to the code of each integration/script before being executed.

Content Release Notes

Additional archived release notes are available here.