Skip to main content

TIM - Process Indicators Against Approved Hash List

This Playbook is part of the TIM - Indicator Auto-Processing Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • FilterByList
  • SetAndHandleEmpty


  • appendIndicatorField

Playbook Inputs#

NameDescriptionDefault ValueRequired
ApprovedHashListA Cortex XSOAR list containing approved hash values. Hash indicators that appear in the list are tagged as approved.Optional
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional

Playbook Outputs#

HashesInApprovedListFile hashes that are found in the approved_hash list.string
HashesNotInApprovedListFile hashes that are not found in the approved_hash list.string

Playbook Image#

Playbook Image