Skip to main content

Darkfeed Threat hunting-research

This Playbook is part of the Sixgill Darkfeed - Annual Subscription Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Automatically discover and enrich indicators with the same actor and source as the triggering IOC. Search for and isolate any compromised endpoints and proactively block IOCs from entering your network.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Search Endpoints By Hash - Generic V2
  • Block Indicators - Generic v2
  • Entity Enrichment - Generic v2
  • Isolate Endpoint - Generic V2


This playbook does not use any integrations.


  • Set
  • SetAndHandleEmpty
  • SixgillSearchIndicators
  • ToTable


  • associateIndicatorToIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileFile hash (MD5, SHA-1, SHA-256) from DarkfeedFileOptional
URLURL from DarkfeedURLOptional
Maximum number of IOCsSet value to the maximum number of IOCs you would like returned in searches for items from the same source and same actor50Optional
Query time lookupSet value to the number of days back in searches for IOCs with the same source and same actor3 day agoOptional
IPIP address from DarkfeedIPOptional
Is automated endpoint isolation activated?Set "yes" if you would like to automatically isolate endpoints on which malicious indicators were detectednoOptional
Is automated blocking activated?Set "yes" if you would like to automatically block discovered malicious indicators.noOptional
DomainDomain from DarkfeedDomain.NameOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Darkfeed Threat hunting-research