- Index
- Packs
- Change Management
- Cortex Xpanse Pack
- Email Communication
- Endpoint Malware Investigation - Generic V2
- Ingesting Incidents
- Integrations and Incidents Health Check
- Malware Investigation and Response
- MITRE ATT&CK - Courses of Action
- Palo Alto Networks Cortex XDR - Investigation and Response
- PAN-OS Policy Optimizer
- Phishing Alerts
- Phishing Campaign
- Prepare your instance for Capture The Flag
- Prisma Cloud
- QRadar
- Ransomware
- Rapid Breach Response
- Shift Management
- System Diagnostics and Health Check
- Windows Forensics
- XSOAR CI/CD
- XSOAR Content Update Notifications
- Integrations
- 1Password
- 1Touch.io's Inventa Connector
- Abnormal Security
- Abnormal Security Event Collector
- Absolute
- abuse.ch SSL Blacklist Feed
- AbuseIPDB
- Acalvio ShadowPlex
- Accenture CTI (Deprecated)
- Accessdata (Deprecated)
- ACTI Feed (Deprecated)
- ACTI Indicator Feed
- ACTI Indicator Query
- ACTI Vulnerability Query
- Active Directory Authentication
- Active Directory Query v2
- ActiveMQ
- Aella Star Light
- Agari Phishing Defense
- Aha
- Akamai WAF
- Akamai WAF SIEM
- Alexa Rank Indicator (Deprecated)
- Alexa Rank Indicator v2 (Deprecated)
- AlgoSec
- Alibaba Action Trail Event Collector
- AlienVault OTX TAXII Feed
- AlienVault OTX v2
- AlienVault Reputation Feed
- AlienVault USM Anywhere
- AlphaSOC Network Behavior Analytics
- AlphaSOC Wisdom
- AlphaVantage
- Amazon DynamoDB
- Amazon Security Lake
- AMP
- Analyst1
- Anomali Match
- Anomali ThreatStream (Deprecated)
- Anomali ThreatStream v2 (Deprecated)
- Anomali ThreatStream v3
- Ansible ACME
- Ansible Alibaba Cloud
- Ansible Automation Platform
- Ansible Azure
- Ansible Cisco IOS
- Ansible Cisco NXOS
- Ansible DNS
- Ansible HCloud
- Ansible Kubernetes
- Ansible Microsoft Windows
- Ansible OpenSSL
- Ansible VMware
- ANY.RUN
- AnythingLLM
- APIVoid
- appNovi
- Arcanna.AI
- ArcSight ESM v2
- ArcSight Logger
- ArcSight XML (Deprecated)
- ArcusTeam
- Arduino
- ARIA Packet Intelligence
- Arkime
- Armis
- Armis Event Collector
- Armorblox
- AsanaConnect
- Ataya Harmony
- Atlassian Confluence Cloud
- Atlassian Confluence Server
- Atlassian IAM
- Atlassian Jira Service Management
- Atlassian Jira v2 (Deprecated)
- Atlassian Jira v3
- AttackIQ Platform
- Attivo Botsink
- AutoFocus Daily Feed (Deprecated)
- AutoFocus Feed
- AutoFocus Tags Feed (Deprecated)
- Automox
- Awake Security
- AWS - AccessAnalyzer
- AWS - ACM
- AWS - Athena
- AWS - CloudTrail
- AWS - CloudWatchLogs
- AWS - EC2
- AWS - GuardDuty
- AWS - GuardDuty Event Collector
- AWS - IAM (user lifecycle management)
- AWS - IAM Identity Center
- AWS - Identity and Access Management
- AWS - Lambda
- AWS - Organizations
- AWS - Route53
- AWS - S3
- AWS - Security Hub
- AWS - SNS
- AWS - SQS
- AWS - System Manager
- AWS Feed
- AWS Network Firewall
- AWS Sagemaker
- Aws Secrets Manager
- AWS Security Hub Event Collector
- AWS Simple Notification Service (AWS SNS)
- AWS-EKS
- AWS-SNS-Listener
- AWS-WAF
- Axonius
- Azure Active Directory Applications
- Azure Active Directory Groups
- Azure Active Directory Identity And Access
- Azure Active Directory Identity Protection (Deprecated)
- Azure Active Directory Users
- Azure AD Connect Health Feed
- Azure Compute v2
- Azure Data Explorer
- Azure Feed
- Azure Firewall
- Azure Key Vault
- Azure Kubernetes Services
- Azure Log Analytics
- Azure Network Security Groups
- Azure Resource Graph
- Azure Risky Users
- Azure SQL Management
- Azure Storage Container
- Azure Storage FileShare
- Azure Storage Management
- Azure Storage Queue
- Azure Storage Table
- Azure Web Application Firewall
- AzureDevOps
- Bambenek Consulting Feed
- Barracuda Reputation Block List (BRBL)
- Bastille Networks
- BeyondTrust - Authorization Requests
- BeyondTrust Password Safe
- BigFix
- Binalyze AIR
- Bitbucket
- BitcoinAbuse Feed (Deprecated)
- BitDam
- Bitsight for Security Performance Management
- Bitwarden Password Manager
- Blocklist_de Feed
- BloodHoundEnterprise
- Bluecat Address Manager
- Blueliv ThreatCompass
- Blueliv ThreatContext
- BMC Discovery
- BMC Helix ITSM
- BMC Helix Remedyforce
- BMC Remedy AR
- Bonusly
- Box (Deprecated)
- Box Event Collector
- Box v2
- BreachRx
- BruteForceBlocker Feed
- C2sec irisk
- Cado Response
- Camlytics
- Carbon Black Endpoint Standard Event Collector
- Carbon Black Endpoint Standard v2
- Carbon Black Endpoint Standard v3
- Carbon Black Enterprise EDR
- Carbon Black Live Response Cloud
- Celonis
- Censys v2
- Centreon
- Centrify Vault
- Check Point Dome9 (CloudGuard)
- Check Point Firewall (Deprecated)
- Check Point Harmony Email and Collaboration (HEC)
- Check Point Harmony Endpoint
- Check Point Network Detection and Response (Infinity NDR)
- Check Point Threat Emulation (SandBlast)
- CheckPhish
- CheckPoint Firewall v2
- Cherwell
- Chronicle
- Chronicle Streaming API
- CimTrak - System Integrity Assurance
- CIRCL
- CIRCL CVE Search
- CircleCI
- CIRCLEHashlookup
- Cisco AMP (Deprecated)
- Cisco AMP Event Collector
- Cisco AMP v2
- Cisco ASA
- Cisco Email Security Appliance (IronPort) (Deprecated)
- Cisco ESA
- Cisco Firepower
- Cisco ISE
- Cisco Meraki (Deprecated)
- Cisco Meraki v2
- Cisco Secure Cloud Analytics (Stealthwatch Cloud)
- Cisco Secure Malware Analytics (Threat Grid) v2
- Cisco Secure Malware Analytics Feed
- Cisco Secure Network Analytics (Stealthwatch)
- Cisco Security Management Appliance
- Cisco ThousandEyes
- Cisco Threat Grid (Deprecated)
- Cisco Umbrella Cloud Security (Deprecated)
- Cisco Umbrella Cloud Security v2
- Cisco Umbrella Enforcement
- Cisco Umbrella Investigate
- Cisco Umbrella Reporting
- Cisco Webex Event Collector
- Cisco Webex Feed
- Cisco Webex Teams
- Cisco WSA v2
- CiscoEmailSecurity (Beta) (Deprecated)
- CiscoWSA (Deprecated)
- Clarizen IAM
- Claroty
- ClickSend
- Cloaken
- CloudConvert
- Cloudflare Feed
- Cloudflare WAF
- Cloudflare Zero Trust
- CloudShare (Beta)
- CloudShark
- Code42
- Code42 Event Collector
- Cofense Feed
- Cofense Intelligence (Deprecated)
- Cofense Intelligence v2
- Cofense Triage (Deprecated)
- Cofense Triage v2
- Cofense Triage v3
- Cofense Vision
- Cognni
- Cohesity Helios Event Collector
- CohesityHelios
- Commvault Cloud
- ConcentricAI
- Confluera
- Coralogix
- Core Lock
- Core REST API
- Cortex Attack Surface Management
- Cortex XDR - IOC
- Cortex XDR - IR CTF
- Cortex XDR - XQL Query Engine
- Cortex Xpanse
- Cortex Xpanse Legacy (Deprecated)
- CounterCraft Deception Director
- CounterTack
- Covalence For Security Providers
- Covalence Managed Security
- Create Test Incidents
- CrowdSec
- CrowdStrike Falcon
- CrowdStrike Falcon Intel (Deprecated)
- CrowdStrike Falcon Intel Feed Actors
- CrowdStrike Falcon Intel v2
- CrowdStrike Falcon Intelligence Sandbox
- CrowdStrike Falcon Sandbox (Deprecated)
- CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis)
- CrowdStrike Falcon Streaming v2
- CrowdStrike Indicator Feed
- CrowdStrike Malquery
- CrowdStrike OpenAPI (Beta)
- Cryptocurrency
- Cryptosim
- CSCDomainManager
- CSV Feed
- CTIX v3
- CTM360 CyberBlindspot
- CTM360 HackerView
- Cuckoo Sandbox
- CustomIndicatorDemo
- CVE Search v2 (Deprecated)
- CybelAngel
- Cyber Triage
- CyberArk AIM (Deprecated)
- CyberArk AIM v2
- CyberArk EPM Event Collector
- CyberArk Identity Event Collector
- CyberArk PAS
- CyberChef
- Cybereason
- Cyberint Alerts
- Cyberint Feed
- Cyberpion
- Cybersixgill Actionable Alerts
- Cybersixgill DVE Enrichment
- Cybersixgill DVE Feed Threat Intelligence (Deprecated)
- Cybersixgill DVE Feed Threat Intelligence v2
- CyberTotal
- Cyberwatch
- Cyble Events
- Cyble Threat Intel
- CybleEvents v2
- CyCognito
- CyCognito Feed
- Cyjax Feed
- Cylance Protect v2
- Cymptom
- Cymulate
- Cymulate v2
- Cyren Inbox Security
- Cyren Threat InDepth Threat Intelligence Feed
- Cyware Threat Intelligence eXchange
- Darktrace (Deprecated)
- Darktrace Admin
- Darktrace AI Analyst
- Darktrace ASM
- Darktrace Event Collector
- Darktrace Model Breaches
- DataBee
- Datadog Cloud SIEM
- Dataminr Pulse
- DB2
- DeCYFIR
- DeCYFIR Indicators & Threat Intelligence Feed
- Deep Instinct
- DeepInstinct v3
- DeepL
- DeHashed
- DelineaDSV
- DelineaSS
- Dell Secureworks
- Demisto Lock
- Demisto REST API (Deprecated)
- Devo (Deprecated)
- Devo v2
- DHS Feed
- DHS Feed v2
- Digital Defense FrontlineVM
- Digital Guardian
- Digital Guardian ARC Event Collector
- Digital Shadows
- Discord
- DNSOverHttps
- dnstwist
- Docker Engine API
- DomainTools (Deprecated)
- DomainTools Iris
- DomainTools Iris Detect
- Dragos Worldview
- Drift
- Dropbox Event Collector
- Druva Event Collector
- Druva Ransomware Response
- DShield Feed
- Duo
- DUO Admin
- Duo Event Collector
- DuoAuth
- EasyVista
- EclecticIQ Intelligence Center v3
- EclecticIQ Platform (Deprecated)
- EclecticIQ Platform v2 (Deprecated)
- Edgescan
- EDL Monitor
- Elasticsearch Feed
- Elasticsearch v2
- Email Hippo
- EmailRep.io
- Endace
- Envoy IAM
- EWS Extension Online Powershell v2 (Deprecated)
- EWS Extension Online Powershell v3
- EWS Mail Sender (Deprecated)
- EWS O365
- EWS v2
- Exabeam Advanced Analytics
- Exabeam Data Lake
- Exabeam Security Operations Platform
- ExceedLMS IAM
- Exchange 2016 Compliance Search (Deprecated)
- Exodus Intelligence Vulnerabilities
- Expanse (Deprecated)
- Expanse Expander Feed (Deprecated)
- Export Indicators Service (Deprecated)
- Exterro FTK
- ExtraHop Reveal(x)
- F5 Application Security Manager (WAF)
- F5 firewall
- F5 LTM
- F5 Silverline
- FalconHost (Deprecated)
- Farsight DNSDB
- Farsight DNSDB v2
- Fastly Feed
- Feed MISP Threat Actors
- FeedDomainTools
- Feedly Feed
- Feodo Tracker IP Blocklist Feed
- Fidelis EDR
- Fidelis Elevate Network
- FileOrbis
- FireEye (AX Series)
- FireEye Central Management
- FireEye Detection on Demand
- FireEye Email Security
- FireEye Endpoint Security (HX) v2
- FireEye ETP
- FireEye ETP Event Collector
- FireEye Feed
- FireEye Helix
- FireEye HX (Deprecated)
- FireEye HX Event Collector
- FireEye iSIGHT
- FireEye NX
- FireMon Security Manager
- Flashpoint (Deprecated)
- Flashpoint Feed (Deprecated)
- Flashpoint Ignite
- Flashpoint Ignite Feed
- Forcepoint DLP Event Collector (Beta)
- Forcepoint Security Management Center
- Forcepoint Web Security
- Forescout CounterACT
- Forescout EyeInspect
- Fortanix DSM
- FortiAuthenticator
- FortiGate
- FortiMail
- FortiManager
- FortiSandbox (Deprecated)
- FortiSandbox v2
- FortiSIEM
- FortiSIEM v2
- Fortiweb VM
- FraudWatch
- Freshdesk
- Freshworks Freshservice
- FTP
- FullHunt
- G Suite Auditor
- G Suite Security Alert Center
- Gamma
- GCenter
- GCenter 103
- GCP Whitelist Feed (Deprecated)
- GCP-IAM
- Gem
- Generic API Event Collector (Beta)
- Generic Export Indicators Service
- Generic SQL
- Generic Webhook
- Genetec Security Center Event Collector
- Genians
- Gigamon ThreatINSIGHT
- Giphy
- GitGuardian Event Collector
- GitHub
- Github Event Collector
- Github Feed
- GitHub IAM
- Github Maltrail Feed
- GitLab (Deprecated)
- GitLab Event Collector
- GitLab v2
- GLIMPS Detect
- GLPI
- Gmail
- Gmail Single User
- Google Apigee
- Google BigQuery
- Google Calendar
- Google Chat via Webhook
- Google Cloud Compute
- Google Cloud Functions
- Google Cloud Logging
- Google Cloud Pub/Sub
- Google Cloud SCC
- Google Cloud Storage
- Google Cloud Translate
- Google Docs
- Google Dorking
- Google Drive
- Google IP Ranges Feed
- Google Key Management Service
- Google Kubernetes Engine
- Google Maps
- Google Resource Manager
- Google Safe Browsing (Deprecated)
- Google Safe Browsing v2
- Google Sheets
- Google Threat Intelligence
- Google Threat Intelligence IoC Stream Feed
- Google Threat Intelligence Threat Lists
- Google Vault
- Google Vertex AI
- Google Vision AI
- Google Workspace Admin
- GoogleApps API and G Suite
- Gophish
- Grafana
- GraphQL
- Graylog
- GreatHorn
- GreyNoise
- GreyNoise Community
- GreyNoise Indicator Feed
- Group-IB THF Polygon
- Group-IB Threat Intelligence
- Group-IB Threat Intelligence Feed
- GRR
- GuardiCore (Deprecated)
- GuardiCore v2
- Gurucul-GRA
- HackerOne
- Hackuity
- HarfangLab EDR
- HashiCorp Terraform
- HashiCorp Vault
- Hatching Triage
- Have I Been Pwned? v2
- Hello World IAM
- HelloWorld
- HelloWorld Event Collector
- HelloWorld Feed
- HostIo
- Hoxhunt (Deprecated)
- Hoxhunt v2
- HPE Aruba Central Event Collector
- HPE Aruba ClearPass
- Hudsonrock
- Humio
- HYAS Insight
- HYAS Protect
- Hybrid Analysis (Deprecated)
- IBM MaaS360 Security
- IBM QRadar (Deprecated)
- IBM QRadar v2 (Deprecated)
- IBM QRadar v3
- IBM Security QRadar SOAR
- IBM Security Verify
- IBM X-Force Exchange v2
- iboss
- Icebrg
- iDefense (Deprecated)
- iLert
- illuminate (Deprecated)
- Illumio Core
- IllusiveNetworks
- Image OCR
- Impartner
- Imperva Incapsula
- Imperva Skyfence
- Imperva WAF
- Indeni
- Indicators detection
- Infinipoint
- InfoArmor VigilanteATI
- Infoblox
- Infoblox BloxOne Threat Defense
- Infoblox BloxOne Threat Defense Event Collector
- Infocyte
- Intel471 Actors Feed (Deprecated)
- Intel471 Malware Feed (Deprecated)
- Intel471 Malware Indicator Feed
- Intel471 Watcher Alerts
- Intezer v2
- IntSights (Deprecated)
- Investigation & Response
- IP-API
- IP2LocationIO
- ipinfo (Deprecated)
- IPinfo v2
- IPQualityScore
- ipstack
- IRIS DFIR
- IronDefense
- Ironscales
- Ironscales Event Collector
- IsItPhishing
- Ivanti Heat
- Ja3er
- Jamf Protect Event Collector
- JAMF v2
- JARM
- Jask (Deprecated)
- Jira Event Collector
- JizoM
- Joe Security (Deprecated)
- Joe Security v2
- JSON Feed
- JSON Sample Incident Generator
- JsonWhoIs
- JWT
- Kafka v2 (Deprecated)
- Kafka v3
- Kali Dog Security CertStream
- Kaspersky Security Center (Beta)
- Keeper Secrets Manager
- Keeper Security
- Kenna v2
- KnowBe4 KMSAT Event Collector
- KnowBe4KMSAT
- Koodous
- Lacework
- Lansweeper
- LastInfoSec
- Lastline v2
- LDAP Authentication
- LGTM
- LINENotify
- Linkshadow
- Linux
- Lockpath KeyLight v2
- LogPoint SIEM Integration
- LogRhythm (Deprecated)
- LogRhythmRest
- LogRhythmRest v2
- LogsignSiem
- Logz.io
- LOLBAS Feed
- Looker
- Luminar IOCs & leaked credentials
- Lumu
- MAC Vendors
- Mail Listener v2
- Mail Sender (New)
- MailListener - POP3
- Majestic Million Feed
- Maltiverse
- MalwareBazaar
- MalwareBazaar Feed
- Malwarebytes
- Malwation AIMA (Deprecated)
- ManageEngine PAM360
- Mandiant Advantage Feed (Deprecated)
- Mandiant Advantage Threat Intelligence
- Mandiant Attack Surface Management
- Mandiant Automated Defense (Formerly Respond Software)
- Mandiant Enrich
- Mandiant Feed
- Mantis
- Mattermost
- Mattermost v2
- MaxMind GeoIP2
- McAfee Active Response
- McAfee Advanced Threat Defense
- McAfee DAM
- McAfee DXL
- McAfee ePO (Deprecated)
- McAfee ePO v2
- McAfee ESM v10 and v11 (Deprecated)
- McAfee ESM v2
- McAfee NSM (Deprecated)
- McAfee NSM v2
- McAfee Threat Intelligence Exchange (Deprecated)
- McAfee Threat Intelligence Exchange v2
- McAfee Web Gateway (Deprecated)
- MetaDefender Sandbox
- Micro Focus Service Manager
- MicroFocus SMAX
- Microsoft 365 Defender
- Microsoft Advanced Threat Analytics (Deprecated)
- Microsoft Defender for Cloud
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Cloud Apps Event Collector
- Microsoft Defender for Cloud Event Collector
- Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint Alerts (Deprecated)
- Microsoft Endpoint Configuration Manager
- Microsoft Endpoint Manager (Intune)
- Microsoft Graph API
- Microsoft Graph Mail Single User
- Microsoft Graph Search
- Microsoft Graph Security
- Microsoft Intune Feed
- Microsoft Management Activity API (O365 Azure Events)
- Microsoft Policy And Compliance (Audit Log)
- Microsoft Sentinel
- Microsoft Teams
- Microsoft Teams Management
- Microsoft Teams via Webhook
- Mimecast Event Collector
- Mimecast v2
- Minerva Labs Anti-Evasion Platform
- MinIO
- MISP Feed
- MISP v2 (Deprecated)
- MISP v3
- MITRE ATT&CK
- MITRE IDs Feed (Deprecated)
- MitreCaldera
- mnemonic MDR - Argus Managed Defence
- MobileIronCLOUD
- MobileIronCORE
- Moloch (Deprecated)
- MongoDB
- MongoDB Atlas
- MongoDB Key Value Store
- MongoDB Log
- MS-ISAC
- MxToolBox
- National Vulnerability Database
- National Vulnerability Database Feed v2
- Ncurion
- Neosec
- Nessus
- NetBox Event Collector
- Netcraft
- Netcraft (Deprecated)
- Netmiko
- NetQuest OMX
- Netscout Arbor Edge Defense
- Netscout Arbor Sightline (Peakflow)
- Netskope (API v1)
- Netskope (API v2)
- Netskope (Deprecated)
- Netskope Event Collector
- Nexthink
- Nist NVD
- nmap
- Nozomi Networks
- NTT Cyber Threat Sensor
- NucleonCyberFeed
- Nutanix Hypervisor
- O365 - EWS - Extension (Deprecated)
- O365 - Security And Compliance - Content Search (Deprecated)
- O365 - Security And Compliance - Content Search v2
- O365 Defender SafeLinks
- O365 Defender SafeLinks - Single User (Deprecated)
- O365 File Management (Onedrive/Sharepoint/Teams)
- O365 Outlook Calendar
- O365 Outlook Mail (Using Graph API)
- O365 Teams (Using Graph API)
- OctoxLabs
- Office 365 Feed
- okta (Deprecated)
- Okta ASA
- Okta Auth0 Event Collector
- Okta Event Collector
- Okta IAM
- Okta v2
- Ollama
- OneLogin Event Collector
- OpenAI (Deprecated)
- OpenAI GPT
- OpenCTI
- OpenCTI Feed 3.X (Deprecated)
- OpenCTI Feed 4.X
- OpenCVE
- OpenPhish v2
- OPNSense
- OpsGenie (Deprecated)
- Opsgenie v2 (Deprecated)
- OpsGenie v3
- OPSWAT Filescan Sandbox (Deprecated)
- OPSWAT-Metadefender v2
- Oracle Cloud Infrastructure Event Collector
- Oracle Cloud Infrastructure Feed
- Oracle IAM
- Orca
- Orca Event Collector
- ORKL Threat Intel Feed
- OSV
- OTRS
- Packetsled
- PagerDuty v2
- Palo Alto AutoFocus (Deprecated)
- Palo Alto Networks - Prisma Cloud Compute
- Palo Alto Networks - Strata Cloud Manager
- Palo Alto Networks AIOps
- Palo Alto Networks AutoFocus v2
- Palo Alto Networks Automatic SLR
- Palo Alto Networks BPA (Deprecated)
- Palo Alto Networks Cortex (Deprecated)
- Palo Alto Networks Cortex XDR - Investigation and Response
- Palo Alto Networks Enterprise DLP
- Palo Alto Networks IoT
- Palo Alto Networks IoT 3rd Party (Deprecated)
- Palo Alto Networks MineMeld (Deprecated)
- Palo Alto Networks PAN-OS
- Palo Alto Networks PAN-OS EDL Management (Deprecated)
- Palo Alto Networks Security Advisories (Beta)
- Palo Alto Networks Threat Vault (Deprecated)
- Palo Alto Networks Threat Vault v2
- Palo Alto Networks Threat Vault v2 Feed
- Palo Alto Networks Traps (Deprecated)
- Palo Alto Networks WildFire Reports
- Palo Alto Networks WildFire v2
- PAN-OS Policy Optimizer (Beta)
- PassiveTotal v2
- PAT HelpdeskAdvanced
- Penfield
- Pentera
- PerceptionPoint
- Perch
- PerimeterX BotDefender
- Phish.AI (Deprecated)
- PhishER
- PhishLabs IOC
- PhishLabs IOC DRP
- PhishLabs IOC EIR
- PhishTank v2
- PhishUp
- Picus Security
- Picus Security NG
- PiHole
- PingCastle
- PingOne
- Pipl
- Plain Text Feed
- Polar Security
- PolySwarm
- Popular News
- Postmark Spamcheck
- PowerShell Remoting (Beta)
- Preempt (Deprecated)
- Prisma Access
- Prisma Access Egress IP feed
- Prisma Cloud (RedLock) (Deprecated)
- Prisma Cloud DSPM
- Prisma Cloud v2
- PrismaCloud IAM
- Proofpoint Email Security Event Collector
- Proofpoint Feed
- Proofpoint Isolation
- Proofpoint Protection Server (Deprecated)
- Proofpoint Protection Server v2
- Proofpoint TAP v2
- Proofpoint Threat Protection
- Proofpoint Threat Response (Beta)
- Proofpoint Threat Response Event Collector
- ProtectWise
- Public DNS Feed
- Pulsedive
- Qintel PMI
- Qintel QSentry
- Qintel QWatch
- QR Code Reader - goqr.me
- QSS
- Qualys FIM
- Qualys VMDR
- Query.AI
- Quest KACE Systems Management Appliance (Beta)
- QutteraWebsiteMalwareScanner
- RaDark
- Rapid7 - Threat Command (IntSights)
- Rapid7 InsightIDR
- Rapid7 InsightVM
- Rapid7 InsightVM Cloud
- Rapid7AppSec
- Rasterize
- Reco
- Recorded Future (Deprecated)
- Recorded Future - Lists
- Recorded Future - Playbook Alerts
- Recorded Future Attack Surface Intelligence
- Recorded Future Event Collector
- Recorded Future Identity
- Recorded Future RiskList Feed
- Recorded Future v2
- Red Canary
- Redmine
- ReliaQuest GreyMatter DRP Event Collector
- ReliaQuest GreyMatter DRP Incidents
- Remedy On-Demand (Deprecated)
- remedy_sr_beta (Beta)
- Remote Access (Deprecated)
- RemoteAccess v2
- Resecurity Monitoring
- Retarus Secure Email Gateway
- ReversingLabs A1000 (Deprecated)
- ReversingLabs A1000 v2
- ReversingLabs Ransomware and Related Tools Feed
- ReversingLabs TitaniumCloud (Deprecated)
- ReversingLabs TitaniumCloud v2
- ReversingLabs TitaniumScale
- RiskIQ Digital Footprint
- RiskSense
- Roksit DNS Security (DNSSense)
- RSA Archer (Deprecated)
- RSA Archer v2
- RSA NetWitness Endpoint
- RSA NetWitness Packets and Logs
- RSA NetWitness Security Analytics
- RSA NetWitness v11.1 (Deprecated)
- RSANetWitness v11.5
- RSS Feed
- RST Cloud - Threat Feed API
- RTIR
- Rubrik Security Cloud
- Rundeck
- RunZero
- RunZero Event Collector
- SaaS Security
- SaaS Security Event Collector
- SafeBreach
- SafeBreach (Deprecated)
- SafeBreach v2 (Deprecated)
- Safewalk Management
- Safewalk Reports
- SailPoint IdentityIQ
- SailPoint IdentityNow
- SailPoint IdentityNow Event Collector
- Salesforce
- Salesforce Event Collector (Deprecated)
- Salesforce Fusion IAM
- Salesforce IAM
- Salesforce v2
- SAML 2.0
- SAML 2.0 - ADFS as IdP
- SAML 2.0 - Okta as IdP
- SAML 2.0 - PingOne as IdP
- SAP - IAM
- SCADAfence CNM
- Screenshot Machine
- SecBI
- SecneurX Analysis
- SecneurX Threat Feeds
- Security Intelligence Services Feed
- SecurityAdvisor (Deprecated)
- SecurityScorecard
- SecurityTrails
- Securonix
- Sekoia XDR
- SEKOIAIntelligenceCenter
- SendGrid
- SentinelOne Activity and Alerts
- SentinelOne v2
- Sepio
- Serenety
- Server Message Block (SMB) (Deprecated)
- Server Message Block (SMB) v2
- Service Desk Plus
- Service Desk Plus (On-Premise) (Deprecated)
- ServiceNow (Deprecated)
- ServiceNow CMDB
- ServiceNow Event Collector
- ServiceNow IAM
- ServiceNow v2
- ShiftLeft CORE
- Shodan v2
- Signal Sciences WAF
- Signum
- Silverfort
- Simple SFTP
- Single Connect
- Sixgill DarkFeed Enrichment
- Sixgill DarkFeed Threat Intelligence
- Skyformation (Deprecated)
- Skyhigh Secure Web Gateway (On Prem)
- Skyhigh Security
- Slack Event Collector
- Slack IAM
- Slack v2 (Deprecated)
- Slack v3
- SlashNext Phishing Incident Response
- SMIME Messaging
- Smokescreen IllusionBLACK
- SNDBOX (Deprecated)
- Snort IP Blocklist Feed
- Snowflake
- SOCRadar Incidents
- SOCRadar Threat Feed
- SOCRadar ThreatFusion
- SolarWinds
- Sophos Central
- Sophos Firewall
- Spamcop
- Spamhaus Feed
- SplunkPy
- SplunkPy Prerelease (Beta)
- SpurContextAPI
- SpyCloud
- SpyCloud Enterprise Protection Enrichment
- SpyCloud Enterprise Protection Feed
- SSL Labs
- Stairwell Inception
- Stamus
- Starter Base Integration - Name the integration as it will appear in the XSOAR UI
- Stellar Cyber
- Strata Logging Service XSOAR Connector
- Sumo Logic Cloud SIEM
- SumoLogic
- Symantec Advanced Threat Protection (Deprecated)
- Symantec Blue Coat Content and Malware Analysis (Beta)
- Symantec Cloud Secure Web Gateway Event Collector
- Symantec CloudSOC Event Collector
- Symantec Data Loss Prevention (Deprecated)
- Symantec Data Loss Prevention v2
- Symantec Email Security Cloud
- Symantec Endpoint Detection and Response (EDR) - On Prem
- Symantec Endpoint Protection v2
- Symantec Endpoint Security
- Symantec Endpoint Security (ICDM)
- Symantec Managed Security Services
- Symantec Management Center
- Symantec Messaging Gateway
- Synapse
- SysAid
- Syslog (Deprecated)
- Syslog Sender
- Syslog v2
- TaegisXDR (Deprecated)
- TaegisXDR v2
- Talos Feed
- Tanium (Deprecated)
- Tanium Threat Response
- Tanium Threat Response v2
- Tanium v2
- TAXII 2 Feed
- TAXII Feed
- TAXII Server
- TAXII2 Server
- Team Cymru
- Team Cymru Scout
- TeamViewer Event Collector
- Tenable Vulnerability Management (formerly Tenable.io)
- Tenable.sc
- Tessian
- Thales CipherTrust Manager
- Thales SafeNet Trusted Access
- Thales SafeNet Trusted Access Event Collector
- TheHive Project
- Thinkst Canary
- ThousandEyes
- Threat Crowd v2 (Deprecated)
- ThreatConnect (Deprecated)
- ThreatConnect Feed
- ThreatConnect v2 (Deprecated)
- ThreatConnect v3
- ThreatExchange (Deprecated)
- ThreatExchange v2
- ThreatFox Feed
- ThreatMiner
- ThreatQ v2
- ThreatX
- ThreatZone
- Thycotic (Deprecated)
- ThycoticDSV (Deprecated)
- Tidy
- TOPdesk
- Tor Exit Addresses Feed
- Traceable
- Trello
- Trend Micro Apex One
- Trend Micro Cloud App Security
- Trend Micro Deep Security
- Trend Micro Email Security Event Collector
- Trend Micro Vision One
- Trend Micro Vision One Event Collector
- Trend Micro Vision One V3.
- Tripwire
- TruSTAR (Deprecated)
- TruSTAR v2 (Deprecated)
- Trustwave Secure Email Gateway
- TrustwaveFusion
- Tufin
- Twilio
- Twinwave
- Twitter (Deprecated)
- Twitter v2
- TwitterIOCHunter Feed
- UBIRCH
- UltraMSG
- Unisys Stealth
- Unit 42 ATOMs Feed
- Unit 42 Feed (Deprecated)
- Unit 42 Intel Objects Feed
- Uptycs
- URLhaus
- URLhaus Feed
- urlscan.io
- USTA
- USTA Account Takeover Prevention
- USTA Stolen Credit Cards
- USTA Threat Stream IOC Feed
- Varonis Data Security Platform
- Varonis SaaS
- Vectra (Deprecated)
- Vectra AI Event Collector
- Vectra Detect
- Vectra v2 (Deprecated)
- Vectra XDR
- Veeam Backup & Replication REST API
- Veeam ONE REST API
- Venafi (Deprecated)
- Venafi TLS Protect
- Versa Director
- Vertica
- Viper
- VirusTotal (API v3)
- VirusTotal (Deprecated)
- VirusTotal - Premium (API v3)
- VirusTotal - Private API (Deprecated)
- VirusTotal Livehunt Feed
- VirusTotal Retrohunt Feed
- VMRay
- VMware
- VMware Carbon Black App Control v2
- VMware Carbon Black EDR (Deprecated)
- VMware Carbon Black EDR (Live Response API)
- VMware Carbon Black EDR v2
- VMware Carbon Black Endpoint Standard (Deprecated)
- VMware Workspace ONE UEM (AirWatch MDM)
- VulnDB
- WALLIX Bastion
- Web File Repository
- WhatIsMyBrowser
- Whois
- Windows Remote Management (Beta)
- WithSecure Event Collector
- Wiz
- Wolken ITSM
- WootCloud
- Wordpress
- Workday
- Workday Event Collector
- Workday IAM
- Workday IAM Event Generator (Beta)
- Workday Sign On Event Collector
- Workday Signon Event Generator (Beta)
- xDome
- XM Cyber
- xMatters
- Xpanse Feed
- XQL Query Engine
- XSOAR EDL Checker
- XSOAR Engineer Training
- XSOAR File Management
- XSOAR Mirroring
- XSOAR Storage
- XSOAR-Web-Server
- Xsoar_Utils
- Zabbix
- Zafran API
- Zendesk v2
- Zero Day Live TI FUSION Feed
- Zero Networks Segment
- ZeroFox
- Zerohack XDR
- ZeroTrustAnalyticsPlatform
- Zimperium
- Zimperium v2
- Zoom
- Zoom Event Collector
- Zoom Feed
- Zoom Mail
- Zoom_IAM
- Zscaler Internet Access
- Playbooks
- 3CXDesktopApp Supply Chain Attack
- A mail forwarding rule was configured in Google Workspace
- A Successful login from TOR
- A successful SSO sign-in from TOR
- A user executed multiple LDAP enumeration queries
- Abuse Inbox Management Detect & Respond
- Abuse Inbox Management Protection
- Access Investigation - Generic
- Access Investigation - Generic - NIST
- Access Investigation - QRadar
- Accessdata: Dump memory for malicious process
- Account Enrichment
- Account Enrichment - Generic
- Account Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Acquire And Analyze Host Forensics
- ACTI Block High Severity Indicators
- ACTI Block Indicators from an Incident
- ACTI Create Report-Indicator Associations
- ACTI Incident Enrichment
- ACTI Indicator Enrichment
- ACTI Report Enrichment
- ACTI Vulnerability Enrichment
- Active Directory - Get User Manager Details
- Active Directory Investigation
- Add Employees to Departing Employee Watchlist
- Add Employees to New Hire Watchlist
- Add Indicator to Miner - Palo Alto MineMeld
- Add IOCs - Cofense Vision
- Add Note - Vectra Detect
- Add Note - Vectra XDR
- Add Unknown Indicators To Inventory - RiskIQ Digital Footprint
- Agari Message Remediation - Agari Phishing Defense
- Akamai WAF - Activate Network Lists
- Alibaba ActionTrail - multiple unauthorized action attempts detected by a user
- Allow IP - Okta Zone
- Analyze File - Sandbox - ThreatZone
- Analyze File - Static Scan - ThreatZone
- Analyze URL - ReversingLabs TitaniumCloud
- Anomali Enterprise Forensic Search
- AppleScript Process Executed With Rare Command Line
- appNovi-MAC-Address-Lookup
- Arcanna-Generic-Investigation
- Arcanna-Generic-Investigation-V2-With-Feedback
- Archer initiate incident
- Arcsight - Get events related to the Case
- Armis Alert Enrichment
- Armorblox Needs Review
- Assess Wiz Issues
- Assign Active Incidents to Next Shift
- Assign Active Incidents to Next Shift V2
- Ataya - Securely logging device access to network
- ATD - Detonate File
- Auto Add Assets - RiskIQ Digital Footprint
- Auto Update Or Remove Assets - RiskIQ Digital Footprint
- Autofocus - File Indicators Hunting
- Autofocus - Hunting And Threat Detection
- Autofocus - Traffic Indicators Hunting
- Autofocus Query Samples, Sessions and Tags
- AutoFocusPolling
- AWS - Enrichment
- AWS - Package Upgrade
- AWS - Security Group Remediation
- AWS - Security Group Remediation v2
- AWS - Unclaimed S3 Bucket Remediation
- AWS - Unclaimed S3 Bucket Validation
- AWS - User Investigation
- AWS IAM - User enrichment
- AWS IAM User Access Investigation
- AWS IAM User Access Investigation - Remediation
- Azure - Enrichment
- Azure - Network Security Group Remediation
- Azure - User Investigation
- Azure AD account unlock or password reset
- Azure Log Analytics - Query From Saved Search
- Azure-DevOps-Pipeline-Run
- BeyondTrust Retrieve Credentials
- Block Account - Generic
- Block Account - Generic v2
- Block Domain - Cisco Stealthwatch
- Block Domain - External Dynamic List
- Block Domain - FireEye Email Security
- Block Domain - Generic
- Block Domain - Generic v2
- Block Domain - Proofpoint Threat Response
- Block Domain - Symantec Messaging Gateway
- Block Domain - Trend Micro Apex One
- Block Domain - Zscaler
- Block Email - Generic
- Block Email - Generic v2
- Block Endpoint - Carbon Black Response
- Block Endpoint - Carbon Black Response V2
- Block Endpoint - Carbon Black Response V2.1
- Block File - Carbon Black Response
- Block File - Cybereason
- Block File - Cylance Protect v2
- Block File - Generic
- Block File - Generic v2
- Block Indicators - Generic
- Block Indicators - Generic v2
- Block Indicators - Generic v3
- Block IOCs from CSV - External Dynamic List
- Block IP - Generic
- Block IP - Generic v2
- Block IP - Generic v3
- Block URL - Generic
- Block URL - Generic v2
- Bonusly - AutoGratitude
- BreachRx - Create Incident and get Active Tasks
- Brute Force Investigation - Generic
- Brute Force Investigation - Generic - SANS
- Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
- Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration
- Bulk Export to SIEM - PANW IoT 3rd Party Integration
- C2SEC-Domain Scan
- Calculate Severity - 3rd-party integrations
- Calculate Severity - Cortex XDR Risky Assets
- Calculate Severity - Critical assets
- Calculate Severity - Critical Assets v2
- Calculate Severity - Generic
- Calculate Severity - Generic v2
- Calculate Severity - GreyNoise
- Calculate Severity - Indicators DBotScore
- Calculate Severity - Standard
- Calculate Severity By Email Authenticity
- Calculate Severity By Highest DBotScore
- Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise
- Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise
- Caldera Operation
- California - Breach Notification
- Carbon Black EDR Search Process
- Carbon black Protection Rapid IOC Hunting
- Carbon Black Rapid IOC Hunting
- Carbon Black Response - Unisolate Endpoint
- Case Management - Generic
- Case Management - Generic - Send On Call Notification
- Case Management - Generic - Set SLAs based on Severity
- Case Management - Generic - Start SLA Timers
- Case Management - Generic v2
- Change Management
- Check For Content Installation
- Check Incydr Status and Close XSOAR Incident
- Check Indicators For Unknown Assets - RiskIQ Digital Footprint
- Check IP Address For Whitelisting - RiskIQ Digital Footprint
- Checkpoint - Block IP - Append Group
- Checkpoint - Block IP - Custom Block Rule
- Checkpoint - Block URL
- Checkpoint - Publish&Install configuration
- Checkpoint Firewall Configuration Backup Playbook
- CheckPointHEC Get email for incident
- ChronicleAsset Investigation - Chronicle
- ChronicleAssets Investigation And Remediation - Chronicle
- CimTrak - Example - Analyze Intrusion
- CimTrak - Example - Scan Compliance By IP
- Cisco FirePower- Append network group object
- Claroty Incident
- Claroty Manage Asset CVEs
- Cloaked Ursa Diplomatic Phishing Campaign
- Close All Duplicate XSOAR Incidents - Vectra Detect
- Close Duplicate XSOAR Incidents - Vectra Detect
- Close Related XSOAR and Incydr Incidents
- Cloud Compute Enrichment - Generic
- Cloud Credentials Rotation - AWS
- Cloud Credentials Rotation - Azure
- Cloud Credentials Rotation - GCP
- Cloud Credentials Rotation - Generic
- Cloud Data Exfiltration Response
- Cloud Enrichment - Generic
- Cloud IAM Enrichment - Generic
- Cloud IAM User Access Investigation
- Cloud IDS-IP Blacklist-GCP Firewall_Append
- Cloud IDS-IP Blacklist-GCP Firewall_Combine
- Cloud IDS-IP Blacklist-GCP Firewall_Extract
- Cloud Response - AWS
- Cloud Response - Azure
- Cloud Response - GCP
- Cloud Response - Generic
- Cloud Threat Hunting - Persistence
- Cloud Token Theft - Set Verdict
- Cloud Token Theft Response
- Cloud User Investigation - Generic
- CloudConvert - Convert File
- Cluster Report Categorization - Cofense Triage v3
- Code42 Add Departing Employee From Ticketing System v2
- Code42 Copy File To Ticketing System v2
- Code42 Exfiltration Playbook
- Code42 File Download
- Code42 File Search
- Code42 File Search v2
- Code42 Security Alert
- Code42 Suspicious Activity Action v2
- Code42 Suspicious Activity Review v2
- Codecov Breach - Bash Uploader
- Command-Line Analysis
- Commvault Suspicious File Activity Remediation
- Compare Process Execution Arguments To LOLBAS Patterns
- Compromise Accounts - User rejected numerous SSO MFA attempts
- Compromised Credentials Match - Flashpoint
- Configuration Setup
- Containment Plan
- Containment Plan - Block Indicators
- Containment Plan - Clear User Sessions
- Containment Plan - Disable Account
- Containment Plan - Isolate Device
- Containment Plan - Quarantine File
- Content Update Check
- Content Update Manager
- Context Polling - Generic
- Continuously Process Survey Responses
- Convert file hash to corresponding hashes
- Cortex ASM - Active Directory Enrichment
- Cortex ASM - ASM Alert
- Cortex ASM - AWS Enrichment
- Cortex ASM - Azure Enrichment
- Cortex ASM - Certificate Enrichment
- Cortex ASM - CMDB Enrichment
- Cortex ASM - Cortex Endpoint Enrichment
- Cortex ASM - Cortex Endpoint Remediation
- Cortex ASM - Decision
- Cortex ASM - Detect Service
- Cortex ASM - Domain Enrichment
- Cortex ASM - Email Notification
- Cortex ASM - Enrichment
- Cortex ASM - Extract IP Indicator
- Cortex ASM - GCP Enrichment
- Cortex ASM - Instant Message
- Cortex ASM - Jira Notification
- Cortex ASM - On Prem Enrichment
- Cortex ASM - On Prem Remediation
- Cortex ASM - Prisma Cloud Enrichment
- Cortex ASM - Qualys Enrichment
- Cortex ASM - Rapid7 Enrichment
- Cortex ASM - Remediation
- Cortex ASM - Remediation Confirmation Scan
- Cortex ASM - Remediation Guidance
- Cortex ASM - Remediation Objectives
- Cortex ASM - Remediation Path Rules
- Cortex ASM - Service Ownership
- Cortex ASM - ServiceNow CMDB Enrichment
- Cortex ASM - ServiceNow ITSM Enrichment
- Cortex ASM - ServiceNow Notification
- Cortex ASM - SNMP Check
- Cortex ASM - Splunk Enrichment
- Cortex ASM - Tenable.io Enrichment
- Cortex ASM - Vulnerability Management Enrichment
- Cortex VM - ServiceNow CMDB
- Cortex VM - Vulnerability Issue
- Cortex XDR - AWS IAM user access investigation
- Cortex XDR - Block File
- Cortex XDR - Check Action Status
- Cortex XDR - check file existence
- Cortex XDR - Cloud Data Exfiltration Response
- Cortex XDR - Cloud Enrichment
- Cortex XDR - Cloud IAM User Access Investigation
- Cortex XDR - delete file
- Cortex XDR - Display Risky Assets
- Cortex XDR - Endpoint Investigation
- Cortex XDR - Execute commands
- Cortex XDR - Execute snippet code script
- Cortex XDR - False Positive Incident Handling
- Cortex XDR - First SSO Access
- Cortex XDR - First SSO Access - Set Verdict
- Cortex XDR - Get entity alerts by MITRE tactics
- Cortex XDR - Get entity alerts by MITRE tactics CTF
- Cortex XDR - Get File Path from alerts by hash
- Cortex XDR - Identity Analytics
- Cortex XDR - Isolate Endpoint
- Cortex XDR - kill process
- Cortex XDR - Large Upload
- Cortex XDR - Malicious Pod Response - Agent
- Cortex XDR - Malware Investigation
- Cortex XDR - Port Scan
- Cortex XDR - Port Scan - Adjusted
- Cortex XDR - Possible External RDP Brute-Force
- Cortex XDR - Possible External RDP Brute-Force - Set Verdict
- Cortex XDR - Possible External RDP Brute-Force CTF
- Cortex XDR - PrintNightmare Detection and Response
- Cortex XDR - quarantine file
- Cortex XDR - Quarantine File v2
- Cortex XDR - Retrieve File by sha256
- Cortex XDR - Retrieve File Playbook
- Cortex XDR - Retrieve File v2
- Cortex XDR - Run script
- Cortex XDR - Search And Block Software - XQL Engine
- Cortex XDR - Search and Compare Process Executions - XDR Alerts
- Cortex XDR - Search and Compare Process Executions - XQL Engine
- Cortex XDR - True Positive Incident Handling
- Cortex XDR - Unisolate Endpoint
- Cortex XDR - XCloud Cryptojacking
- Cortex XDR - XCloud Cryptojacking - Set Verdict
- Cortex XDR - XCloud Token Theft - Set Verdict
- Cortex XDR - XCloud Token Theft Response
- Cortex XDR Alerts Handling
- Cortex XDR Alerts Handling CTF
- Cortex XDR Alerts Handling v2
- Cortex XDR device control violations
- Cortex XDR disconnected endpoints
- Cortex XDR Incident Handling
- Cortex XDR incident handling v2
- Cortex XDR incident handling v3
- Cortex XDR incident handling v3 CTF
- Cortex XDR Incident Sync
- Cortex XDR IOCs - Disable expired IOCs in XDR
- Cortex XDR IOCs - Push new IOCs to XDR
- Cortex XDR IOCs - Push new IOCs to XDR (Main)
- Cortex XDR Lite - Incident Handling
- Cortex XDR Malware - Incident Enrichment
- Cortex XDR Malware - Investigation And Response
- Cortex XDR Remote PsExec with LOLBIN command execution alert
- Courses of Action - Collection
- Courses of Action - Command and Control
- Courses of Action - Credential Access
- Courses of Action - Defense Evasion
- Courses of Action - Discovery
- Courses of Action - Execution
- Courses of Action - Exfiltration
- Courses of Action - Impact
- Courses of Action - Initial Access
- Courses of Action - Lateral Movement
- Courses of Action - Persistence
- Courses of Action - Privilege Escalation
- Create Jira Issue
- Create Jira Ticket - XM Cyber
- Create list for PTH
- Create ServiceNow Ticket
- Credential Dumping using a known tool
- CrowdStrike Endpoint Enrichment
- CrowdStrike Falcon - Block File
- CrowdStrike Falcon - False Positive Incident Handling
- CrowdStrike Falcon - Get Detections by Incident
- CrowdStrike Falcon - Get Endpoint Forensics Data
- Crowdstrike Falcon - Isolate Endpoint
- CrowdStrike Falcon - Retrieve File
- CrowdStrike Falcon - Search Endpoints By Hash
- CrowdStrike Falcon - Search Endpoints By Indicators
- CrowdStrike Falcon - SIEM ingestion Get Incident Data
- CrowdStrike Falcon - T1059 - Command and Scripting Interpreter
- CrowdStrike Falcon - True Positive Incident Handling
- Crowdstrike Falcon - Unisolate Endpoint
- CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File
- CrowdStrike Falcon Malware - Incident Enrichment
- CrowdStrike Falcon Malware - Investigation and Response
- CrowdStrike Falcon Malware - Verify Containment Actions
- CrowdStrike Falcon Sandbox - Detonate file
- CrowdStrike Rapid IOC Hunting
- CrowdStrike Rapid IOC Hunting v2
- CTF 1 - Get to know XSOAR8
- CTF 2 - Classify an incident - RDP Brute force
- CTF-X
- CVE Enrichment - Generic
- CVE Enrichment - Generic v2
- CVE Exposure - RiskSense
- CVE-2021-22893 - Pulse Connect Secure RCE
- CVE-2021-34527 | CVE-2021-1675 - PrintNightmare
- CVE-2021-40444 - MSHTML RCE
- CVE-2021-44228 - Log4j RCE
- CVE-2022-26134 - Confluence RCE
- CVE-2022-30190 - MSDT RCE
- CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows
- CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell
- CVE-2023-23397 - Microsoft Outlook EoP
- CVE-2023-34362 - MOVEit Transfer SQL Injection
- CVE-2023-36884 - Microsoft Office and Windows HTML RCE
- CVE-2024-47575 - FortiManager Authentication Bypass
- CVE-2024-6387 - OpenSSH RegreSSHion RCE
- CyberArk - Brute Force_Investigation
- CyberBlindspot Incident Management
- CyberBlindspot Incident Management V2
- Cybereason - Download Close File
- Cybereason - Download File
- Cyberpion Domain State
- CyberTotal Auto Enrichment - CyCraft
- CyberTotal Whois - CyCraft
- Cyble Intel Alert
- Cyble Vision Alert V2
- Cyren Inbox Security Default
- D2 - Endpoint data collection
- Darkfeed - malware download from feed
- Darkfeed IOC detonation and proactive blocking
- Darkfeed Threat hunting-research
- Darktrace ASM Basic Risk Handler
- Darktrace Basic AI Analyst Event Handler
- Darktrace Basic Model Breach Handler
- DataBee Enrichment
- DBot Create Phishing Classifier
- DBot Create Phishing Classifier Job
- DBot Create Phishing Classifier V2
- DBot Create Phishing Classifier V2 Job
- DBot Indicator Enrichment - Generic
- DeCYFIR - v1
- Dedup - Generic
- Dedup - Generic v2
- Dedup - Generic v3
- Dedup - Generic v4
- DeDup incidents
- DeDup incidents - ML
- DeepL Translate Document
- Default
- Delete Custom Content
- Demisto Self-Defense - Account policy monitoring playbook
- Departing Employee Auto-Add
- Departing Employee Clean-Up
- Detect & Manage Phishing Campaigns
- Detonate and Analyze File - Generic
- Detonate and Analyze File - JoeSecurity
- Detonate File - ANYRUN
- Detonate File - BitDam
- Detonate File - CrowdStrike Falcon Intelligence Sandbox
- Detonate File - CrowdStrike Falcon Intelligence Sandbox v2
- Detonate file - CrowdStrike Falcon Sandbox v2
- Detonate File - Cuckoo
- Detonate File - FireEye AX
- Detonate File - FireEye Detection on Demand
- Detonate File - Generic
- Detonate File - Group-IB TDS Polygon
- Detonate File - HybridAnalysis
- Detonate File - JoeSecurity
- Detonate File - JoeSecurity V2
- Detonate File - Lastline
- Detonate File - Lastline v2
- Detonate File - ReversingLabs A1000
- Detonate File - ReversingLabs TitaniumScale
- Detonate File - SecneurX Analysis
- Detonate File - SNDBOX
- Detonate File - ThreatGrid
- Detonate File - ThreatGrid v2
- Detonate File - ThreatStream
- Detonate File - VirusTotal (API v3)
- Detonate File - VMRay
- Detonate File From URL - ANYRUN
- Detonate File From URL - JoeSecurity
- Detonate File From URL - WildFire
- Detonate File From URL - WildFire v2
- Detonate Private File - VirusTotal Private Scanning
- Detonate Remote File from URL - McAfee ATD
- Detonate URL - ANYRUN
- Detonate URL - CrowdStrike
- Detonate URL - CrowdStrike Falcon Intelligence Sandbox
- Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2
- Detonate URL - Cuckoo
- Detonate URL - FireEye AX
- Detonate URL - Generic
- Detonate URL - Generic v1.5
- Detonate URL - Group-IB TDS Polygon
- Detonate URL - Hatching Triage
- Detonate URL - Hybrid Analysis
- Detonate URL - JoeSecurity
- Detonate URL - Lastline
- Detonate URL - Lastline v2
- Detonate URL - McAfee ATD
- Detonate URL - Phish.AI
- Detonate URL - SecneurX Analysis
- Detonate URL - ThreatGrid
- Detonate URL - ThreatGrid v2
- Detonate URL - ThreatStream
- Detonate URL - VirusTotal (API v3)
- Detonate URL - VMRay
- Detonate URL - WildFire v2.1
- Detonate URL - WildFire v2.2
- Detonate URL - WildFire-v2
- Digital Defense FrontlineVM - Old Vulnerabilities Found
- Digital Defense FrontlineVM - PAN-OS block assets
- Digital Defense FrontlineVM - Scan Asset Not Recently Scanned
- Digital Guardian Demo Playbook
- Digital Shadows - CVE_IoC Assessment & Enrichment
- Digital Shadows - Domain Alert Intelligence (Automated)
- Digital Shadows - Domain_IoC Assessment & Enrichment
- Digital Shadows - IoC Assessment & Enrichment
- Digital Shadows - IP_IoC Assessment & Enrichment
- Digital Shadows - MD5_IoC Assessment & Enrichment
- Digital Shadows - SHA1_IoC Assessment & Enrichment
- Digital Shadows - SHA256_IoC Assessment & Enrichment
- Digital Shadows - URL_IoC Assessment & Enrichment
- Dispatch Incident - Vectra Detect
- Dispatch Incident - Vectra XDR
- DLP - Get Approval
- DLP - Get User Feedback
- DLP - Get User Feedback via Email
- DLP - User Message App Check
- DLP Incident Feedback Loop
- Domain Enrichment - Generic
- Domain Enrichment - Generic v2
- Domain Enrichment - RST Threat Feed
- DomainTools Associate Indicator to Incident
- DomainTools Auto Pivots
- DomainTools Check Domain Risk Score By Iris Tags
- DomainTools Check New Domains by Iris Hash
- DomainTools Iris Risk Score
- DropBox - Massive scale operations on files
- Druva-Ransomware-Response
- DSAR Inventa Handler
- DSPM Jira Ticket Creation
- DSPM Multi-Cloud Risk Remediation
- DSPM notify user in case of error
- DSPM Re-run incident
- DSPM Remediation for Empty storage asset
- DSPM Remediation for Sensitive asset open to world
- DSPM Send Slack Notification to User
- DSPM Valid User Response
- EDL Monitor- Email EDL content
- Email Address Enrichment - Generic
- Email Address Enrichment - Generic v2
- Email Address Enrichment - Generic v2.1
- Email Headers Check - Generic
- Employee Offboarding - Delegate
- Employee Offboarding - Gather User Information
- Employee Offboarding - Retain & Delete
- Employee Offboarding - Revoke Permissions
- Employee Status Survey
- Endace Search Archive and Download
- Endace Search Archive Download PCAP
- Endace Search Archive Download PCAP v2
- Endpoint data collection
- Endpoint Enrichment - Cylance Protect v2
- Endpoint Enrichment - Generic
- Endpoint Enrichment - Generic v2
- Endpoint Enrichment - Generic v2.1
- Endpoint Enrichment By EntityId - XM Cyber
- Endpoint Enrichment By Hostname - XM Cyber
- Endpoint Enrichment By IP - XM Cyber
- Endpoint initiated uncommon remote scheduled task creation
- Endpoint Investigation Plan
- Endpoint Malware Investigation - Generic
- Endpoint Malware Investigation - Generic V2
- Enrich DXL with ATD verdict
- Enrich DXL with ATD verdict v2
- Enrich Incident With Asset Details - RiskIQ Digital Footprint
- Enrich McAfee DXL using 3rd party sandbox
- Enrich McAfee DXL using 3rd party sandbox v2
- Enrich ThinkstCanary Events
- Enrichment for Verdict
- Entity Enrichment - Generic
- Entity Enrichment - Generic v2
- Entity Enrichment - Generic v3
- Entity Enrichment - Generic v4
- Entity Enrichment - Phishing v2
- Eradication Plan
- Eradication Plan - Delete File
- Eradication Plan - Reset Password
- Eradication Plan - Terminate Process
- Event Log Was Cleared
- Example-Delinea-Folder Operations
- Example-Delinea-Retrieved Username and Password
- Example-Delinea-Secret Object Operations
- Example-Delinea-User object operations
- Excessive User Account Lockouts
- Exchange 2016 Search and Delete
- Exchange forwarding rule configured
- Exchange User Mailbox Forwarding
- Expanse Attribution
- Expanse Behavior Severity Update
- Expanse Enrich Cloud Assets
- Expanse Find Cloud IP Address Region and Service
- Expanse Load-Create List
- Expanse Unmanaged Cloud
- Expanse VM Enrich
- Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration
- Export Single Asset to SIEM - PANW IoT 3rd Party Integration
- Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration
- External Login Password Spray
- Extract and Create Relationships
- Extract and Enrich Expanse Indicators
- Extract Indicators - Generic
- Extract Indicators From File - Generic
- Extract Indicators From File - Generic v2
- ExtraHop - CVE-2019-0708 (BlueKeep)
- ExtraHop - Default
- ExtraHop - Get Peers by Host
- ExtraHop - Ticket Tracking
- ExtraHop - Ticket Tracking v2
- Failed Login Playbook - Slack v2
- Fetch All Violations - Securonix
- Fetch Violations - Securonix
- Field Polling - Generic
- Fighting Ursa Luring Targets With Car For Sale
- File Analysis - ReversingLabs A1000
- File Enrichment - File reputation
- File Enrichment - Generic
- File Enrichment - Generic v2
- File Enrichment - RST Threat Feed
- File Enrichment - Virus Total (API v3)
- File Enrichment - Virus Total Private API
- File Enrichment - VMRay
- File Reputation
- File Reputation - ReversingLabs TitaniumCloud
- FireEye ETP - Indicators Hunting
- FireEye Helix Archive Search
- FireEye HX - Execution Flow Indicators Hunting
- FireEye HX - File Indicators Hunting
- FireEye HX - Indicators Hunting
- FireEye HX - Isolate Endpoint
- FireEye HX - Traffic Indicators Hunting
- FireEye HX - Unisolate Endpoint
- FireEye Red Team Tools Investigation and Response
- FireMon Create Policy Planner Ticket
- FireMon Pre Change Assessment
- Forensics Tools Analysis
- FortiSandbox - Loop for Job Submissions
- FortiSandbox - Loop For Job Verdict
- FortiSandbox - Upload Multiple Files
- Function Deployment - AWS
- Function Removal - AWS
- GCP - Enrichment
- GCP - Firewall Remediation
- GCP - User Investigation
- GDPR Breach Notification
- Gem Handle Alert for Root Usage
- Gem Handle ec2
- Gem Validate triggering event
- GenericPolling
- GenericPolling-FortiSIEM
- Get Cloud Account Owner - Generic
- Get Code42 Employee Information
- Get Email From Email Gateway - FireEye
- Get Email From Email Gateway - Generic
- Get Email From Email Gateway - Mimecast
- Get Email From Email Gateway - Proofpoint Protection Server
- Get endpoint details - Generic
- Get entity alerts by MITRE tactics
- Get File Sample - Generic
- Get File Sample By Hash - Carbon Black Enterprise Response
- Get File Sample By Hash - Cylance Protect
- Get File Sample By Hash - Cylance Protect v2
- Get File Sample By Hash - Generic
- Get File Sample By Hash - Generic v2
- Get File Sample By Hash - Generic v3
- Get File Sample From Path - Carbon Black Enterprise Response
- Get File Sample From Path - D2
- Get File Sample From Path - Generic
- Get File Sample From Path - Generic V2
- Get File Sample From Path - Generic V3
- Get File Sample From Path - VMware Carbon Black EDR - Live Response API
- Get host forensics - Generic
- Get Original Email - EWS
- Get Original Email - EWS v2
- Get Original Email - Generic
- Get Original Email - Generic v2
- Get Original Email - Gmail
- Get Original Email - Gmail v2
- Get Original Email - Microsoft Graph Mail
- Get prevalence for IOCs
- Get RaDark Detailed Items
- Get the binary file from Carbon Black by its MD5 hash
- Get User Devices - Generic
- Get User Devices by Email Address - Generic
- Get User Devices by Username - Generic
- Gitlab - Guest user permission change
- Google Dorking File Processing
- Google Vault - Display Results
- Google Vault - Search Drive
- Google Vault - Search Groups
- Google Vault - Search Mail
- GRACase
- HackerView Incident Management
- HAFNIUM - Exchange 0-day exploits
- Handle Darktrace Model Breach
- Handle Expanse Incident
- Handle Expanse Incident - Attribution Only
- Handle False Positive Alerts
- Handle Hello World Alert
- Handle Shadow IT Incident
- Handle TD events
- Health Check - Collect Log Bundle
- Health Check - Log Analysis Read All files
- HealthCheck
- HelloWorld Scan
- HIPAA - Breach Notification
- Hostname And IP Address Investigation And Remediation - Chronicle
- Hoxhunt - Enrich Incident
- Humio QueryJob Poll
- Hunt Extracted Hashes
- Hunt Extracted Hashes V2
- Hunt for bad IOCs
- Hunting C&C Communication Playbook
- Hurukai - Add indicators to HarfangLab EDR
- Hurukai - Alert management
- Hurukai - Get All Artifacts
- Hurukai - Get Artifact Evtx
- Hurukai - Get Artifact Filesystem
- Hurukai - Get Artifact Hives
- Hurukai - Get Artifact Logs
- Hurukai - Get Artifact MFT
- Hurukai - Get Artifact RAM Dump
- Hurukai - Get Driver List
- Hurukai - Get Network Connection List
- Hurukai - Get Network Share List
- Hurukai - Get Persistence List
- Hurukai - Get Pipe List
- Hurukai - Get Prefetch List
- Hurukai - Get Process List
- Hurukai - Get Runkey List
- Hurukai - Get Scheduled Task List
- Hurukai - Get Service List
- Hurukai - Get Session List
- Hurukai - Get Startup List
- Hurukai - Get WMI List
- Hurukai - Hunt IOCs
- Hurukai - Process Indicators - Manual Review
- Hybrid-analysis quick-scan
- Identity Analytics - Alert Handling
- Illinois - Breach Notification
- Illusive - Data Enrichment
- Illusive - Incident Escalation
- Illusive-Collect-Forensics-On-Demand
- Illusive-Retrieve-Incident
- Impossible Traveler
- Impossible Traveler - Enrichment
- Impossible Traveler Response
- Incident Postprocessing - Group-IB Threat Intelligence & Attribution
- Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration
- Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration
- Incremental Export to SIEM - PANW IoT 3rd Party Integration
- Indicator Enrichment - Qintel
- Indicator Pivoting - DomainTools Iris
- Indicator Registration Polling - Generic
- Integration Troubleshooting
- Integrations and Incidents Health Check - Running Scripts
- Intezer - Analyze by hash
- Intezer - Analyze File and URL
- Intezer - Analyze Uploaded file
- Investigate On Bad Domain Matches - Chronicle
- IOC Alert
- IP Enrichment - External - Generic v2
- IP Enrichment - External - RST Threat Feed
- IP Enrichment - Generic
- IP Enrichment - Generic v2
- IP Enrichment - Internal - Generic v2
- IP Reputation-GreyNoise
- IP Whitelist - AWS Security Group
- IP Whitelist - GCP Firewall
- IP Whitelist And Exclusion - RiskIQ Digital Footprint
- IQ-HUB Automation
- Ironscales-Classify-Incident
- Isolate Endpoint - Cybereason
- Isolate Endpoint - Generic
- Isolate Endpoint - Generic V2
- IT - Employee Offboarding
- IT - Employee Offboarding - Manual
- Ivanti Critical Vulnerabilities
- Jira Change Management
- Jira Ticket State Polling
- JOB - Cortex XDR query endpoint device control violations
- JOB - Integrations and Incidents Health Check
- JOB - Integrations and Incidents Health Check - Lists handling
- JOB - PANW NGFW TS Agent Cleanup
- JOB - Popular News
- JOB - XSOAR - Export Selected Custom Content
- JOB - XSOAR - Simple Dev to Prod
- JOB - XSOAR EDL Checker
- Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack
- Kenna - Search and Handle Asset Vulnerabilities
- Large Upload Alert
- Launch Adhoc Command Generic - Ansible Automation Platform
- Launch And Fetch Compliance Policy Report - Qualys
- Launch And Fetch Compliance Report - Qualys
- Launch And Fetch Host Based Findings Report - Qualys
- Launch And Fetch Map Report - Qualys
- Launch And Fetch Patch Report - Qualys
- Launch And Fetch PC Scan - Qualys
- Launch And Fetch Remediation Report - Qualys
- Launch And Fetch Scan Based Findings Report - Qualys
- Launch And Fetch Scheduled Report - Qualys
- Launch And Fetch VM Scan - Qualys
- Launch Job - Ansible Automation Platform
- Launch Scan - Tenable.sc
- List Cisco Stealthwatch Security Events
- List Device Events - Chronicle
- Local Analysis alert Investigation
- LogPoint SIEM Playbook
- Logrhythm - Search query
- LogRhythmRestV2 - Search query
- Logz.Io Handle Alert
- Logz.io Indicator Hunting
- Lost / Stolen Device Playbook
- LSASS Credential Dumpin
- Malcore alert related file
- Malware Investigation & Response Incident Handler
- Malware Investigation - Generic
- Malware Investigation - Generic - Setup
- Malware Investigation - Manual
- Malware Investigation and Response - Set Alerts Grid
- Malware Playbook - Manual
- Malware SIEM Ingestion - Get Incident Data
- Malware Triage - ReversingLabs TitaniumCloud
- MAR - Endpoint data collection
- McAfee ePO Endpoint Compliance Playbook
- McAfee ePO Endpoint Compliance Playbook v2
- McAfee ePO Endpoint Connectivity Diagnostics Playbook v2
- McAfee ePO Repository Compliance Playbook
- McAfee ePO Repository Compliance Playbook v2
- MDE - Block File
- MDE - False Positive Incident Handling
- MDE - Host Advanced Hunting
- MDE - Host Advanced Hunting For Network Activity
- MDE - Host Advanced Hunting For Persistence
- MDE - Host Advanced Hunting For Powershell Executions
- MDE - Pro-Active Actions
- MDE - Retrieve File
- MDE - Search And Block Software
- MDE - Search and Compare Process Executions
- MDE - True Positive Incident Handling
- MDE Malware - Incident Enrichment
- MDE Malware - Investigation and Response
- MDE SIEM ingestion - Get Incident Data
- Message Quarantine - Cofense Vision
- Microsoft 365 Defender - Emails Indicators Hunt
- Microsoft 365 Defender - Get Email URL Clicks
- Microsoft 365 Defender - Threat Hunting Generic
- Microsoft Defender Advanced Threat Protection Get Machine Action Status
- Microsoft Defender For Endpoint - Collect investigation package
- Microsoft Defender For Endpoint - Isolate Endpoint
- Microsoft Defender for Endpoint - Malware Detected
- Microsoft Defender For Endpoint - Unisolate Endpoint
- Microsoft Office File Enrichment - Oletools
- Mimecast - Block Sender Domain
- Mimecast - Block Sender Email
- Mirror Jira Ticket
- Mirror ServiceNow Ticket
- MITRE ATT&CK - Courses of Action
- MITRE ATT&CK - Courses of Action Trigger Job
- MITRE ATT&CK CoA - T1003 - OS Credential Dumping
- MITRE ATT&CK CoA - T1005 - Data from Local System
- MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol
- MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information
- MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel
- MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol
- MITRE ATT&CK CoA - T1057 - Process Discovery
- MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter
- MITRE ATT&CK CoA - T1059.001 - PowerShell
- MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation
- MITRE ATT&CK CoA - T1071 - Application Layer Protocol
- MITRE ATT&CK CoA - T1078 - Valid Accounts
- MITRE ATT&CK CoA - T1082 - System Information Discovery
- MITRE ATT&CK CoA - T1083 - File and Directory Discovery
- MITRE ATT&CK CoA - T1105 - Ingress tool transfer
- MITRE ATT&CK CoA - T1110 - Brute Force
- MITRE ATT&CK CoA - T1133 - External Remote Services
- MITRE ATT&CK CoA - T1135 - Network Share Discovery
- MITRE ATT&CK CoA - T1189 - Drive-by Compromise
- MITRE ATT&CK CoA - T1199 - Trusted Relationship
- MITRE ATT&CK CoA - T1204 - User Execution
- MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact
- MITRE ATT&CK CoA - T1518 - Software Discovery
- MITRE ATT&CK CoA - T1543.003 - Windows Service
- MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution
- MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder
- MITRE ATT&CK CoA - T1560.001 - Archive via Utility
- MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools
- MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes
- MITRE ATT&CK CoA - T1566 - Phishing
- MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment
- MITRE ATT&CK CoA - T1569.002 - Service Execution
- MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography
- Mitre Attack - Extract Technique Information From ID
- MockPlaybook
- MockSubplaybook
- Modify EDL
- Msiexec execution of an executable from an uncommon remote location
- Netcat Makes or Gets Connections
- NetOps - Firewall Version and Content Upgrade
- NetOps - Upgrade PAN-OS Firewall Device
- New Hire Auto-Add
- New Hire Clean-Up
- New York - Breach Notification
- Nexpose - Create and Download Report
- NGFW Internal Scan
- NGFW Remove Offline TS Agent
- NGFW Scan
- NIST - Handling an Incident Template
- NIST - Lessons Learned
- NMAP - Banner Check
- NMAP - Single Port Scan
- NOBELIUM - wide scale APT29 spear-phishing
- Notify Stock Above Price
- NSA - 5 Security Vulnerabilities Under Active Nation-State Attack
- O365 - Security And Compliance - Search
- O365 - Security And Compliance - Search Action - Delete
- O365 - Security And Compliance - Search Action - Preview
- O365 - Security And Compliance - Search And Delete
- Office 365 Search and Delete
- Office process creates a scheduled task via file access
- Okta - User Investigation
- Online Brand Protection Detect and Respond
- OpenCTI Create Indicator
- Palo Alto Networks - Endpoint Malware Investigation
- Palo Alto Networks - Endpoint Malware Investigation v2
- Palo Alto Networks - Endpoint Malware Investigation v3
- Palo Alto Networks - Hunting And Threat Detection
- Palo Alto Networks - Malware Remediation
- Palo Alto Networks BPA - Submit Scan
- PAN-OS - Add Anti-Spyware Security Profile To Rule
- PAN-OS - Add Domains EDL To Anti-Spyware
- PAN-OS - Add Static Routes
- PAN-OS - Apply Security Profile to Policy Rule
- PAN-OS - Block all unknown and unauthorized applications
- PAN-OS - Block Destination Service
- PAN-OS - Block Domain - External Dynamic List
- PAN-OS - Block IP
- PAN-OS - Block IP - Custom Block Rule
- PAN-OS - Block IP - Static Address Group
- PAN-OS - Block IP and URL - External Dynamic List
- PAN-OS - Block IP and URL - External Dynamic List v2
- PAN-OS - Block IPs From EDL - Custom Block Rule
- PAN-OS - Block URL - Custom URL Category
- PAN-OS - Configure DNS Sinkhole
- PAN-OS - Create Or Edit Rule
- PAN-OS - Delete Static Routes
- PAN-OS - Enforce Anti-Spyware Best Practices Profile
- PAN-OS - Enforce Anti-Virus Best Practices Profile
- PAN-OS - Enforce File Blocking Best Practices Profile
- PAN-OS - Enforce URL Filtering Best Practices Profile
- PAN-OS - Enforce Vulnerability Protection Best Practices Profile
- PAN-OS - Enforce WildFire Best Practices Profile
- PAN-OS - Extract IPs From Traffic Logs To Sinkhole
- PAN-OS - Job - Add Malicious Domains To Sinkhole
- PAN-OS - Job - Remove Malicious Domains From Sinkhole
- PAN-OS Commit Configuration
- PAN-OS Commit Configuration v2
- PAN-OS create or edit policy
- PAN-OS DAG Configuration
- PAN-OS edit policy
- PAN-OS EDL Service Configuration
- PAN-OS EDL Setup
- PAN-OS EDL Setup v3
- PAN-OS Log Forwarding Setup And Configuration
- PAN-OS logging to Strata Logging Service - Action Required
- PAN-OS Query Logs For Indicators
- PAN-OS Search for Post Quantum Crypto Vuln Sigs
- PAN-OS to Strata Logging Service Monitoring - Cron Job
- Panorama Query Logs
- PanoramaQueryTrafficLogs
- PANW - Hunting and threat detection by indicator type
- PANW - Hunting and threat detection by indicator type V2
- PANW IoT Incident Handling with ServiceNow
- PANW IoT ServiceNow Tickets Check
- PANW NGFW TS Agent Deployment
- PANW Threat Vault - Signature Search
- PCAP Analysis
- PCAP File Carving
- PCAP Parsing And Indicator Enrichment
- PCAP Search
- Penfield Assign
- Pentera Filter And Create Incident
- Pentera Run Scan
- Pentera Run Scan and Create Incidents
- Phishing - Core
- Phishing - Core v2
- Phishing - Create New Incident
- Phishing - Generic v3
- Phishing - Get Original Email Loop
- Phishing - Handle Microsoft 365 Defender Results
- Phishing - Indicators Hunting
- Phishing - Machine Learning Analysis
- Phishing - Search Related Incidents (Defender 365)
- Phishing Alerts - Check Severity
- Phishing Alerts Investigation
- Phishing Investigation - Generic
- Phishing Playbook - Manual
- PhishingDemo-Onboarding
- PhishLabs - Populate Indicators
- PhishLabs - Whitelist false positives
- PhishUp Mail Scanner
- PICUS - Attack Validation Automation
- PICUS NG - Simulation Validation Automation
- PII Check - Breach Notification
- Policy Optimizer - Add Applications to Policy Rules
- Policy Optimizer - Generic
- Policy Optimizer - Manage Port Based Rules
- Policy Optimizer - Manage Rules with Unused Applications
- Policy Optimizer - Manage Unused Rules
- Port Scan - External Source
- Port Scan - Generic
- Port Scan - Internal Source
- Possible External RDP Brute-Force
- Possible External RDP Brute-Force - Set Verdict
- Post Intrusion Ransomware Investigation
- Powershell Payload Response
- Prepare your CTF
- Prisma Access - Logout User
- Prisma Access - Connection Health Check
- Prisma Access Whitelist Egress IPs on SaaS Services
- Prisma Cloud - Find AWS Resource by FQDN
- Prisma Cloud - Find AWS Resource by FQDN v2
- Prisma Cloud - Find AWS Resource by Public IP
- Prisma Cloud - Find AWS Resource by Public IP v2
- Prisma Cloud - Find Azure Resource by FQDN
- Prisma Cloud - Find Azure Resource by FQDN v2
- Prisma Cloud - Find Azure Resource by Public IP
- Prisma Cloud - Find Azure Resource by Public IP v2
- Prisma Cloud - Find GCP Resource by FQDN
- Prisma Cloud - Find GCP Resource by FQDN v2
- Prisma Cloud - Find GCP Resource by Public IP
- Prisma Cloud - Find GCP Resource by Public IP v2
- Prisma Cloud - Find Public Cloud Resource by FQDN
- Prisma Cloud - Find Public Cloud Resource by Public IP
- Prisma Cloud - Find Public Cloud Resource by Public IP v2
- Prisma Cloud - Get Account Owner
- Prisma Cloud - Get Owner By Namespace
- Prisma Cloud - Network API and Anomaly Incidents
- Prisma Cloud - RQL Execution
- Prisma Cloud - VM Alert Prioritization
- Prisma Cloud Compute - Audit Alert
- Prisma Cloud Compute - Audit Alert Compliance Enrichment
- Prisma Cloud Compute - Audit Alert Enrichment
- Prisma Cloud Compute - Audit Alert v2
- Prisma Cloud Compute - Audit Alert v3
- Prisma Cloud Compute - Audit Alert Vulnerabilities Enrichment
- Prisma Cloud Compute - Cloud Discovery Alert
- Prisma Cloud Compute - Compliance Alert
- Prisma Cloud Compute - Compliance Alert Container Enrichment Loop
- Prisma Cloud Compute - Compliance Alert Host Enrichment Loop
- Prisma Cloud Compute - Compliance Alert Image Enrichment Loop
- Prisma Cloud Compute - Compliance Alert v2
- Prisma Cloud Compute - Container Forensics
- Prisma Cloud Compute - Get Container Events
- Prisma Cloud Compute - Get Defender Logs
- Prisma Cloud Compute - Jira Compliance Issue
- Prisma Cloud Compute - Jira Ticket (Markdown Table)
- Prisma Cloud Compute - Jira Ticket (XLSX)
- Prisma Cloud Compute - ServiceNow Compliance Ticket
- Prisma Cloud Compute - ServiceNow Ticket (HTML Table)
- Prisma Cloud Compute - ServiceNow Ticket (XLSX)
- Prisma Cloud Compute - Vulnerability Alert
- Prisma Cloud Compute Vulnerability and Compliance Reporting
- Prisma Cloud Correlate Alerts
- Prisma Cloud Correlate Alerts v2
- Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account
- Prisma Cloud Remediation - AWS CloudTrail Misconfiguration
- Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2
- Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration
- Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration
- Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2
- Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration
- Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration
- Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
- Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2
- Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days
- Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port
- Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration
- Prisma Cloud Remediation - Azure AKS Misconfiguration
- Prisma Cloud Remediation - Azure AKS Misconfiguration v2
- Prisma Cloud Remediation - Azure Network Misconfiguration
- Prisma Cloud Remediation - Azure Network Misconfiguration v2
- Prisma Cloud Remediation - Azure Network Security Group Misconfiguration
- Prisma Cloud Remediation - Azure SQL Database Misconfiguration
- Prisma Cloud Remediation - Azure SQL Misconfiguration
- Prisma Cloud Remediation - Azure SQL Misconfiguration v2
- Prisma Cloud Remediation - Azure Storage Blob Misconfiguration
- Prisma Cloud Remediation - Azure Storage Misconfiguration
- Prisma Cloud Remediation - Azure Storage Misconfiguration v2
- Prisma Cloud Remediation - GCP Compute Engine Misconfiguration
- Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2
- Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration
- Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration
- Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2
- Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration
- Prisma Cloud Remediation - GCP VPC Network Misconfiguration
- Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2
- Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration
- Prisma SASE - Add IPs to Static Address Group
- Prisma SASE - Block IP
- Prisma SASE - Block URL
- Prisma SASE - Create a security pre-rule for EDL
- Prisma SASE - Create Address Object
- Prisma SASE - Create or Edit EDL object
- Prisma SASE - Create or Edit Security Policy Rule
- Prisma SASE - Quarantine a SentinelOne Host With Active Threat
- Proactive Threat Hunting
- Proactive Threat Hunting - Block Account
- Proactive Threat Hunting - Block Indicators
- Proactive Threat Hunting - Endpoint Isolation
- Proactive Threat Hunting - Entity Enrichment
- Proactive Threat Hunting - Execute Query
- Proactive Threat Hunting - Quarantine File
- Proactive Threat Hunting - SDO Threat Hunting
- Process Email - Add custom fields
- Process Email - Core
- Process Email - Core v2
- Process Email - EWS
- Process Email - Generic
- Process Email - Generic v2
- Process Incident - Vectra Detect
- Process Incident - Vectra XDR
- Process Microsoft's Anti-Spam Headers
- Process QWatch Alert - Qintel
- Process Survey Response
- Proofpoint TAP - Event Enrichment
- PS Remote Get File Sample From Path
- PS-Remote Acquire Host Forensics
- PS-Remote Get MFT
- PS-Remote Get Network Traffic
- PS-Remote Get Registry
- Pull Request Creation - AzureDevOps
- Pull Request Creation - Bitbucket
- Pull Request Creation - Generic
- Pull Request Creation - Github
- Pull Request Creation - GitLab
- QRadar - Get offense correlations
- QRadar - Get offense correlations v2
- QRadar - Get Offense Logs
- QRadar Build Query and Search
- QRadar Generic
- QRadar Get Hunting Results
- QRadar Indicator Hunting V2
- QRadarCorrelationLog
- QRadarFullSearch
- Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration
- Query Cisco Stealthwatch Flows
- Query using Sigma rules
- Ransomware Advanced Analysis
- Ransomware Enrich and Contain
- Ransomware Exposure - RiskSense
- Ransomware Playbook - Manual
- Ransomware Response
- Rapid Breach Response - Set Incident Info
- Rapid IOC Hunting Playbook
- Rapid ransomware containment - Illumio
- Rapid7 - Nexpose - Enrichment
- Rapid7 InsightIDR - Execution Flow Indicators Hunting
- Rapid7 InsightIDR - File Indicators Hunting
- Rapid7 InsightIDR - HTTP Requests Indicators Hunting
- Rapid7 InsightIDR - Indicators Hunting
- Rapid7 InsightIDR - Traffic Indicators Hunting
- RDP Bitmap Cache - Detect and Hunt
- Reco - Reduce Risk - Google Publicly Exposed Files
- Reco Build String Message
- Reco Google Drive Automation
- Reco-Google-Drive-Revoke-Permissions
- Recorded Future - Identity Exposure
- Recorded Future - Threat Actor Search
- Recorded Future CVE Intelligence
- Recorded Future CVE Reputation
- Recorded Future Detailed Alert example
- Recorded Future Domain Abuse
- Recorded Future Domain Intelligence
- Recorded Future Domain Reputation
- Recorded Future Entity Enrichment
- Recorded Future External Usecase
- Recorded Future File Intelligence
- Recorded Future File Reputation
- Recorded Future Identity - Create Incident (sub)
- Recorded Future Identity - Identity Found (incident)
- Recorded Future Identity - Lookup Identities (parent)
- Recorded Future IOC Reputation
- Recorded Future IP Intelligence
- Recorded Future IP Reputation
- Recorded Future Leaked Credential Alert Handling
- Recorded Future List Management
- Recorded Future Playbook Alert Details
- Recorded Future Sandbox
- Recorded Future Threat Assessment
- Recorded Future Typosquat Alert Handling
- Recorded Future URL Intelligence
- Recorded Future URL Reputation
- Recorded Future Vulnerability
- Recorded Future Vulnerability Alert Handling
- Recorded Future Workforce Usecase
- Recovery Plan
- Registry Parse Data Analysis
- Remediate Message - Agari Phishing Defense
- Remote PsExec with LOLBIN command execution alert
- Remote WMI Process Execution
- Remove Employees from Departing Employee Watchlist
- Remove Employees from New Hire Watchlist
- Report Categorization - Cofense Triage v3
- Reset User Password via Chatbot
- Residents Notification - Breach Notification
- Retrieve Alert Attachments - Rapid7 ThreatCommand
- Retrieve Alerts For IOCs - Dataminr Pulse
- Retrieve Asset Details - Lansweeper
- Retrieve Email Data - Agari Phishing Defense
- Retrieve File from Endpoint - Generic
- Retrieve File from Endpoint - Generic V2
- Retrieve File from Endpoint - Generic V3
- Retrieve Related Alerts - Dataminr Pulse
- RiskIQAsset Basic Information Enrichment - RiskIQ Digital Footprint
- RiskIQAsset Enrichment - RiskIQ Digital Footprint
- RSS Create Indicators From Report
- Rubrik Anomaly Incident Response - Rubrik Polaris
- Rubrik Data Object Discovery - Rubrik Polaris
- Rubrik File Context Analysis - Rubrik Polaris
- Rubrik Fileset Ransomware Discovery - Rubrik Polaris
- Rubrik IOC Scan - Rubrik Polaris
- Rubrik List Snapshots - Rubrik Polaris
- Rubrik Object Context Analysis - Rubrik Polaris
- Rubrik Polaris - Anomaly Analysis
- Rubrik Poll Async Result - Rubrik Polaris
- Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris
- Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris
- Rubrik Retrieve Anomaly Result - Rubrik Security Cloud
- Rubrik Retrieve User Access Information - Rubrik Polaris
- Rubrik User Access Analysis - Rubrik Polaris
- Rubrik Workload Analysis - Rubrik Security Cloud
- Run Panorama Best Practice Assessment (Deprecated)
- Rundeck-job-execute-Generic
- Saas Security - Incident Processor
- SaaS Security - Remediate an Asset
- Saas Security - Take Action on the Incident
- SafeBreach - Compare and Validate Insight Indicators
- SafeBreach - Create Incidents per Insight and Associate Indicators
- SafeBreach - Process Non-Behavioral Insights Feed
- SafeBreach - Rerun Insights
- SafeBreach - Rerun Single Insight
- SafeNet Trusted Access - Add to Unusual Activity Group
- SafeNet Trusted Access - Terminate User SSO Sessions
- SailPoint IdentityIQ Disable User Account Access
- Sanitize File - CDR - ThreatZone
- SANS - Incident Handler's Handbook Template
- SANS - Incident Handlers Checklist
- SANS - Lessons Learned
- Scan and Isolate - XM Cyber
- Scan Assets - Nexpose
- Scan Site - Nexpose
- Schedule Task and Poll
- Scheduled task created with HTTP or FTP reference
- Search all mailboxes - Gmail with polling
- Search And Block Software - Generic
- Search and Compare Process Executions - Generic
- Search And Delete Emails - EWS
- Search And Delete Emails - Generic
- Search And Delete Emails - Generic v2
- Search And Delete Emails - Gmail
- Search Endpoint by CVE - Generic
- Search Endpoints By Hash - Carbon Black Protection
- Search Endpoints By Hash - Carbon Black Response
- Search Endpoints By Hash - Carbon Black Response V2
- Search Endpoints By Hash - CrowdStrike
- Search Endpoints By Hash - Cybereason
- Search Endpoints By Hash - Generic
- Search Endpoints By Hash - Generic V2
- Search Endpoints By Hash - TIE
- Search For Hash In Sandbox - Generic
- Search in mailboxes Gmail (Loop) with polling
- Search LOLBAS Tools By Name
- Send Indicators - Cofense Triage v3
- Send Investigation Summary Reports
- Send Investigation Summary Reports Job
- Sentinel One - Endpoint data collection
- Sentinel One - Query Endpoints
- Service Desk Plus - Generic Polling
- ServiceNow - Ticket Management
- ServiceNow Change Management
- ServiceNow CMDB Search
- ServiceNow Ticket State Polling
- Set RaDark Grid For Compromised Accounts
- Set RaDark Grid For Credit Cards
- Set RaDark Grid For Hacking Discussions
- Set RaDark Grid For Leaked Credentials
- Set RaDark Grid For Network Vulnerabilities
- Set RDP Bitmap Cache Overall Score
- Set Team Members
- Set up a Shift handover meeting
- Shift handover
- SIEM - Search for Failed logins
- Slack - General Failed Logins v2.1
- SlackBlockBuilderResponseExample
- Social Engineering Domain Enrichment
- Social Engineering Domain Investigation
- SOCRadar Incident
- SolarStorm and SUNBURST Hunting and Response Playbook
- Spear Phishing Investigation
- Splunk Generic
- Splunk Indicator Hunting
- Spring Core and Cloud Function SpEL RCEs
- SpyCloud - Breach Investigation
- SpyCloud - Malware Incident Enrichment
- SSL_Certificate_Verification
- SSO Authentication With Suspicious Characteristics
- SSO Brute Force
- SSO Password Spray
- Stamus Networks - Get Extra Data
- Strata Logging Service - File Indicators Hunting
- Strata Logging Service - Indicators Hunting
- Strata Logging Service - Traffic Indicators Hunting
- Successful guest user invitation
- Sumo Logic Cloud SIEM - Link Signal Incidents
- Suspicious certutil command line
- Suspicious Domain Hunting Incident Handling
- Suspicious execution from tmp folder
- Suspicious Hidden User Created
- Suspicious LDAP search query
- Suspicious Local Administrator Login
- Suspicious process execution by scheduled task on a sensitive server
- Suspicious SaaS Access From a TOR Exit Node
- SX - PC - PingCastle Report
- Symantec block Email
- T1036 - Masquerading
- T1059 - Command and Scripting Interpreter
- Tag massive and internal IOCs to avoid EDL listing
- Tanium - Ask Question
- Tanium - Get Saved Question Result
- Tanium Demo Playbook
- Tenable.io Scan
- Threat Hunting - Chronicle
- Threat Hunting - Generic
- Ticket Management - Generic
- TIE - IOC Hunt
- TIM - Add All Indicator Types To SIEM
- TIM - Add Bad Hash Indicators To SIEM
- TIM - Add Domain Indicators To SIEM
- TIM - Add IP Indicators To SIEM
- TIM - Add Url Indicators To SIEM
- TIM - ArcSight Add Bad Hash Indicators
- TIM - ArcSight Add Domain Indicators
- TIM - ArcSight Add IP Indicators
- TIM - ArcSight Add Url Indicators
- TIM - Indicator Auto Processing
- TIM - Indicator Relationships Analysis
- TIM - Indicators Exclusion By Related Incidents
- TIM - Intel Tracking
- TIM - Process AWS indicators
- TIM - Process Azure indicators
- TIM - Process CIDR Indicators By Size
- TIM - Process Domain Age With Whois
- TIM - Process Domain Registrant With Whois
- TIM - Process Domains With Whois
- TIM - Process File Indicators With File Hash Type
- TIM - Process Indicators - Fully Automated
- TIM - Process Indicators - Manual Review
- TIM - Process Indicators Against Approved Hash List
- TIM - Process Indicators Against Business Partners Domains List
- TIM - Process Indicators Against Business Partners IP List
- TIM - Process Indicators Against Business Partners URL List
- TIM - Process Indicators Against Organizations External IP List
- TIM - Process Office365 indicators
- TIM - QRadar Add Bad Hash Indicators
- TIM - QRadar Add Domain Indicators
- TIM - QRadar Add IP Indicators
- TIM - QRadar Add Url Indicators
- TIM - Review Indicators Manually
- TIM - Review Indicators Manually For Allowlisting
- TIM - Run Enrichment For All Indicator Types
- TIM - Run Enrichment For Domain Indicators
- TIM - Run Enrichment For Hash Indicators
- TIM - Run Enrichment For IP Indicators
- TIM - Run Enrichment For Url Indicators
- TIM - Update Indicators Organizational External IP Tag
- Traps Blacklist File
- Traps Isolate Endpoint
- Traps Quarantine Event
- Traps Retrieve And Download Files
- Traps Scan Endpoint
- Trend Micro CAS - Indicators Hunting
- TrendMicro Malware Alert Playbook
- Tufin - Enrich IP Address(es)
- Tufin - Enrich Source & Destination IP Information
- Tufin - Get Application Information from SecureApp
- Tufin - Get Network Device Info by IP Address
- Tufin - Investigate Network Alert
- Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration
- Uncommon creation or access operation of sensitive shadow copy by a high-risk process
- Uncommon execution of ODBCConf
- Uncommon remote scheduled task created
- Uncover Unknown Malware Using SSDeep
- Unisolate Endpoint - Cybereason
- Unisolate Endpoint - Generic
- UnitTestTopLevel
- Unprivileged process opened a registry hive
- Unsigned and unpopular process performed an injection
- Unusual process accessed web browser credentials and executed by a terminal process
- Unzip File
- Update enforcement mode - Illumio
- Update Incident Status And Fetch Attachments - Securonix
- Update Or Remove Assets - RiskIQ Digital Footprint
- Upload Vulnerability Report to Automox
- Uptycs - Bad IP Incident
- Uptycs - Outbound Connection to Threat IOC Incident
- URL Enrichment - Generic
- URL Enrichment - Generic v2
- URL Enrichment - RST Threat Feed
- URL Reputation - ReversingLabs TitaniumCloud
- US - Breach Notification
- User added to local administrator group using a PowerShell command
- User Investigation - Generic
- USTA Account Takeover Prevention Employee Credential Incident
- Veeam - Resolve Triggered Alarms
- Veeam - Start Configuration Backup
- Veeam - Start Instant VM Recovery Automatically
- Veeam - Start Instant VM Recovery Manually
- Vulnerability Handling - Nexpose
- Vulnerability Handling - Qualys
- Vulnerability Handling - Qualys - Add custom fields to default layout
- Vulnerability Management - Nexpose (Job)
- Vulnerability Management - Qualys (Job)
- Vulnerability Management - Qualys (Job) - V2
- Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io
- Wait Until Datetime
- WhisperGate and HermeticWiper & CVE-2021-32648
- WhisperGate and HermeticWiper & CVE-2021-32648
- WildFire - Detonate file
- WildFire - Detonate file v2
- Wildfire Detonate and Analyze File
- WildFire Malware
- XCloud Alert Enrichment
- XCloud Cryptojacking
- XCloud Cryptojacking - Set Verdict
- XDR Best Practice Assessment
- xMatters - Example Conditional Actions
- xMatters - Wait for Response
- Xpanse - Alert Enrichment
- Xpanse - Alert Handler
- Xpanse - Alert Self-Enrichment
- Xpanse - NMap - Detect Service
- Xpanse Incident Handling - Generic
- xsoar-data-collection-response-tracking
- xsoarwebserver-email-acknowledgement
- xsoarwebserver-email-data-collection
- YARA - File Scan
- Zendesk - Ticket Management
- Zimperium Incident Enrichment
- ZTAP Alert
- Scripts
- A1000FinalClassification
- AbuseIPDBPopulateIndicators
- ActiveUsersD2
- AddDBotScoreToContext
- AddDomainRiskScoreToContext
- AddEvidence
- AddKeyToList
- AddUserToIncidentTeam
- ADGetUser
- AdoptionMetrics
- AfterRelativeDate
- AlgosecCreateTicket
- AlgosecGetApplications
- AlgosecGetNetworkObject
- AlgosecGetTicket
- AlgosecQuery
- AnalyzeMemImage
- AnalyzeOSX
- AnalyzeTimestampIntervals
- AnyLlmAddResultsConvo
- AnyLlmClearConvo
- AnyLlmClearResults
- AnyLlmDocuments
- AnyLlmDocumentsUpdate
- AnyLlmQuestion
- AnyLlmSaveConvo
- AnyLlmSearchDocument
- AnyLlmSearchXsoarContext
- AnyLlmSearchXsoarEntries
- AnyLlmSearchXsoarIncident
- AnyLlmSearchXsoarIndicators
- AnyLlmUploadDocument
- AnyLlmUploadFileEntry
- AnyLlmUploadResults
- AnyLlmUploadText
- AnyLlmUploadWebLink
- AnyLlmWorkspaceEmbeddings
- AnyLlmWorkspaceEmbeddingsUpdate
- AnyLlmWorkspaces
- AnyLlmWorkspaceUpdate
- AnyMatch
- AppendIfNotEmpty
- AppendindicatorFieldWrapper
- AquatoneDiscover
- AquatoneDiscoverV2
- ArcannaFeedbackPostProcessing
- ArcherCreateIncidentExample
- AreValuesEqual
- ArrayToCSV
- AssignAnalystToIncident
- AssignAnalystToIncidentOOO
- AssignToMeButton
- AssignToNextShift
- AssignToNextShiftOOO
- AssociateIndicatorsToIncident
- ATDDetonate
- AWSAccountHierarchy
- AwsCreateImage
- AwsCreateVolumeSnapshot
- AwsEC2GetPublicSGRules
- AwsEC2SyncAccounts
- AwsGetInstanceInfo
- AWSPackageUpgrade
- AWSRecreateSG
- AwsRunInstance
- AwsStartInstance
- AwsStopInstance
- AzureFindAvailableNSGPriorities
- Base64Decode
- Base64Encode
- Base64EncodeV2
- Base64ListToFile
- BaseScript
- BatchData
- BetweenDates
- BetweenHours
- BinarySearchPy
- BlockIP
- BMCHelixRemedyforceCreateIncident
- BMCHelixRemedyforceCreateServiceRequest
- BMCTool
- BrandImpersonationDetection
- BreachConfirmationHTML
- BuildEWSQuery
- BuildSlackBlocksFromIndex
- CalculateEntropy
- CalculateGeoDistance
- CalculateTimeDifference
- CalculateTimeSpan
- CaseMgmtAnalystTools
- CaseMgmtDisplayLabels
- CaseMgmtIncidentTypesByRole
- CaseMgmtIncidentTypesDisplay
- CaseMgmtResponseProcess
- CBAlerts
- CBEvents
- CBFindIP
- CBLiveFetchFiles
- CBLiveGetFile_V2
- CBLiveProcessList
- CBPApproveHash
- CBPBanHash
- CBPCatalogFindHash
- CBPFindComputer
- CBPFindRule
- CBSensors
- CBSessions
- CBWatchlists
- CEFParser
- CertificateExtract
- CertificateReputation
- CertificatesTroubleshoot
- ChangeContext
- ChangeRemediationSLAOnSevChange
- CheckContextValue
- CheckDockerImageAvailable
- CheckEmailAuthenticity
- CheckFieldValue
- CheckIfSubdomain
- CheckIndicatorValue
- CheckLastEnrichment
- CheckPanosVersionAffected
- CheckPivotableDomains
- CheckPointDownloadBackup
- CheckpointFWBackupStatus
- CheckpointFWCreateBackup
- CheckSender
- CheckSenderDomainDistance
- CheckTags
- checkValue
- CherwellCreateIncident
- CherwellGetIncident
- CherwellIncidentOwnTask
- CherwellIncidentUnlinkTask
- CherwellQueryIncidents
- CherwellUpdateIncident
- ChronicleAssetEventsForHostnameWidgetScript
- ChronicleAssetEventsForIPWidgetScript
- ChronicleAssetEventsForMACWidgetScript
- ChronicleAssetEventsForProductIDWidgetScript
- ChronicleAssetIdentifierScript
- ChronicleDBotScoreWidgetScript
- ChronicleDomainIntelligenceSourcesWidgetScript
- ChronicleIsolatedHostnameWidgetScript
- ChronicleIsolatedIPWidgetScript
- ChronicleListDeviceEventsByEventTypeWidgetScript
- ChroniclePotentiallyBlockedIPWidgetScript
- CIDRBiggerThanPrefix
- ClassifierNotifyAdmin
- clear-user-session
- CloseInvestigationAsDuplicate
- CloseLinkedIncidentsPostProcessing
- CloseSekoiaAlert
- CloseTaskSetContext
- Code42FileEventsToMarkdownTable
- CofenseTriageReportDownload
- CofenseTriageThreatEnrichment
- CollectCampaignRecipients
- CollectPacksData
- CommandLineAnalysis
- commentsToContext
- CommitFiles
- CommonD2
- CommonServerUserPowerShell
- CommonServerUserPython
- CommonUserServer
- CompareIncidentsLabels
- CompareIndicators
- CompareList
- CompareLists
- CompleteTaskOnTimerBreach
- ConcatFormat
- ConferIncidentDetails
- ConferSetSeverity
- ConfigureAzureApplicationAccessPolicy
- ConflueraDetectionsCount
- ConflueraDetectionsData
- ConflueraDetectionsDataWarroom
- ConflueraDetectionsSummary
- ConflueraDetectionsSummaryWarroom
- ConflueraProgressionsCount
- ConflueraProgressionsData
- ConflueraProgressionsDataWarroom
- ContainsCreditCardInfo
- ContentPackInstaller
- ContextContains
- ContextFilter
- ContextGetEmails
- ContextGetHashes
- ContextGetIps
- ContextGetMACAddresses
- ContextGetPathForString
- ContextSearchForString
- ConvertAllExcept
- ConvertCountryCodeCountryName
- ConvertDatetoUTC
- ConvertDictOfListToListOfDict
- ConvertDomainToURLs
- ConvertEnrichmentsToTable
- ConvertFile
- ConvertKeysToTableFieldFormat
- ConvertRequestParametersToTable
- ConvertResourceAttributesToTable
- ConvertResponseElementsToTable
- ConvertTableToHTML
- ConvertTimezoneFromUTC
- ConvertToSingleElementArray
- ConvertUserIdentityToTable
- ConvertXmlFileToJson
- ConvertXmlToJson
- CopyContextToField
- CopyFileD2
- CopyLinkedAnalystNotes
- CopyNotesToIncident
- CoreXQLApiModule
- CortexXDRAdditionalAlertInformationWidget
- CortexXDRCloudProviderWidget
- CortexXDRIdentityInformationWidget
- CortexXDRInvestigationVerdict
- CortexXDRRemediationActionsWidget
- CountArraySize
- CreateArray
- CreateArrayWithDuplicates
- CreateCertificate
- CreateChannelWrapper
- CreateEDLInstance
- CreateEmailHtmlBody
- CreateFileFromPathObject
- CreateHash
- CreateHashIndicatorWrapper
- CreateIndicatorRelationship
- CreateIndicatorsFromSTIX
- CreateNewIndicatorsOnly
- CreatePlbkDoc
- CreatePrismaCloudComputeComplianceReportButton
- CreatePrismaCloudComputeLink
- CreatePrismaCloudComputeResourceComplianceReportButton
- CreateSigmaRuleIndicator
- CreateYARARuleIndicators
- CrowdStrikeApiModule
- CrowdStrikeStreamingPreProcessing
- CrowdStrikeUrlParse
- CryptoCurrenciesFormat
- CSVFeedApiModule
- CuckooDetonateFile
- CuckooDetonateURL
- CuckooDisplayReport
- CuckooGetReport
- CuckooGetScreenshot
- CuckooTaskStatus
- CustomContentBundleWizardry
- CustomPackInstaller
- Cut
- cveReputation
- cveReputationV2
- cvss_color
- CVSSCalculator
- CybereasonPreProcessingExample
- CybersixgillActionableAlertStatusUpdate
- CyCognitoGetEndpoints
- CYFileRep
- Cyren-Find-Similar-Incidents
- Cyren-Show-Threat-Indicators
- CyrenCountryLookup
- CyrenThreatInDepthRandomHunt
- CyrenThreatInDepthRelatedWidget
- CyrenThreatInDepthRelatedWidgetQuick
- CyrenThreatInDepthRenderRelated
- D2ActiveUsers
- D2Autoruns
- D2Drop
- D2Exec
- D2ExecuteCommand
- D2GetFile
- D2GetSystemLog
- D2Hardware
- D2O365ComplianceSearch
- D2O365SearchAndDelete
- D2PEDump
- D2Processes
- D2RegQuery
- D2Rekall
- D2Services
- D2Users
- D2Winpmem
- DamSensorDown
- DataDomainReputation
- DataminrPulseDisplayRelatedAlerts
- DataminrPulseTransformExtractedIndicatorsToList
- DateStringToISOFormat
- DateTimeNowToEpoch
- DateTimeToADTime
- DateTimeToLDAPTime
- DateToTimeStamp
- DBotAverageScore
- DBotBuildPhishingClassifier
- DBotClosedIncidentsPercentage
- DBotFindSimilarIncidents
- DBotFindSimilarIncidentsByIndicators
- DBotGroupXDRIncidents
- DBotPredictIncidentsBatch
- DBotPredictOutOfTheBoxV2
- DBotPredictPhishingEvaluation
- DBotPredictPhishingWords
- DBotPredictTextLabel
- DBotPredictURLPhishing
- DBotPreparePhishingData
- DBotPreProcessTextData
- DBotShowClusteringModelInfo
- DBotTrainClustering
- DBotTrainTextClassifier
- DBotTrainTextClassifierV2
- DBotUpdateLogoURLPhishing
- DecodeMimeHeader
- DedupBy
- DeduplicateValuesbyKey
- Defang
- DefaultIncidentClassifier
- delete_expired_indicator_with_exlusion
- DeleteAndExcludeIndicators
- DeleteContent
- DeleteContext
- DeleteIndicatorRelationships
- DeleteIndicators
- DeleteReportedEmail
- DemistoCreateList
- DemistoGetIncidentTasksByState
- DemistoLeaveAllInvestigations
- DemistoLinkIncidents
- DemistoLogsBundle
- DemistoSendInvite
- DemistoUploadFile
- DemistoUploadFileToIncident
- DemistoUploadFileV2
- DemistoVersion
- Dig
- DisableUserWrapper
- displayCloudIndicators
- DisplayCVEChartScript
- DisplayEmailHtml
- DisplayEmailHtmlThread
- DisplayHTML
- DisplayHTMLWithImages
- DisplayIndicatorReputationContent
- displaySiteCategory
- DisplayTaggedWarroomEntries
- displayUtilitiesResults
- DlpAskFeedback
- DockerHardeningCheck
- DomainExtractAndEnrich
- DomainExtractAndInvestigate
- DomainReputation
- DomainToolsIrisDetectStatusUpdate
- DownloadAndArchivePythonLibrary
- DrawRelatedIncidentsCanvas
- DSPMCheckAndSetErrorEntries
- DSPMCreateRiskSlackBlocks
- DSPMCreateSimpleSlackMessageBlock
- DSPMExtractRiskDetails
- DSPMExtractUserResponseFromSlackBlockState
- DSPMGetContianers
- DSPMIncidentList
- DSPMRerunIncidents
- DsSearchQueryArray
- DT
- DumpJSON
- EditServerConfig
- EmailAskUser
- EmailAskUserResponse
- EmailDomainBlacklist
- EmailDomainSquattingReputation
- EmailDomainWhitelist
- emailFieldTriggered
- EmailReputation
- EmailSLABreach
- EncodeToAscii
- enrich_exclude_button
- EntryWidgetCoAHandled
- EntryWidgetCoATechniquesList
- EntryWidgetNumberHostsXDR
- EntryWidgetNumberRegionsXCLOUD
- EntryWidgetNumberResourcesXCLOUD
- EntryWidgetNumberUsersXDR
- EntryWidgetPieAlertsXDR
- EntryWidgetPortBasedRules
- EntryWidgetRegionNameXCLOUD
- EntryWidgetResourceTypeXCLOUD
- EntryWidgetUnusedApplications
- EntryWidgetUnusedRules
- EnumerateRoles
- EPOFindSystem
- EsmExample
- Etl2Pcap
- EvaluateMLModllAtProduction
- EWSApiModule
- ExampleJSScript
- ExchangeAssignRole
- ExchangeDeleteMail
- ExchangeSearchMailbox
- ExifRead
- Exists
- ExpanseAggregateAttributionCI
- ExpanseAggregateAttributionDevice
- ExpanseAggregateAttributionIP
- ExpanseAggregateAttributionUser
- ExpanseEnrichAttribution
- ExpanseEvidenceDynamicSection
- ExpanseGenerateIssueMapWidgetScript
- ExpansePrintSuggestions
- ExpanseRefreshIssueAssets
- ExportAuditLogsToFile
- ExportContextToJSONFile
- ExportIncidentsToCSV
- ExportIndicatorsToCSV
- ExportMLModel
- ExportToCSV
- ExportToXLSX
- ExposeIncidentOwner
- ExtendQueryBasedOnPhishingLabels
- ExtFilter
- ExtractAttackPattern
- ExtractDomainAndFQDNFromUrlAndEmail
- ExtractDomainFromIOCDomainMatchRes
- ExtractDomainFromUrlAndEmail
- ExtractEmailTransformer
- ExtractEmailV2
- ExtractFQDNFromUrlAndEmail
- ExtractHTMLTables
- ExtractHyperlinksFromOfficeFiles
- ExtractInbetween
- ExtractIndicators-CloudLogging
- ExtractIndicatorsFromTextFile
- ExtractIndicatorsFromWordFile
- ExtraHopTrackIncidents
- FailedInstances
- FeedCyCognitoGetAssetEndpoint
- FeedIntegrationErrorWidget
- FeedRelatedIndicatorsWidget
- FetchFileD2
- FetchIndicatorsFromFile
- FileCreateAndUpload
- FileCreateAndUploadV2
- FileReputation
- FileToBase64List
- FilterByList
- FindDuplicateEmailIncidents
- FindEmailCampaign
- findIncidentsWithIndicator
- FindSimilarIncidents
- FindSimilarIncidentsByText
- FireEyeApiModule
- FireEyeDetonateFile
- FirstArrayElement
- ForescoutEyeInspectButtonGetPCAP
- ForescoutEyeInspectButtonGetVulnerabilityInfo
- ForescoutEyeInspectButtonHostChangeLog
- FormatACTIURL
- FormatContentData
- FormattedDateToEpoch
- FormatTemplate
- FormatURL
- API Module: URL Formatting
- ForwardAuditLogsToSplunkHEC
- FPDeleteRule
- FPSetRule
- GatewatcherAlertEngine
- GCPOffendingFirewallRule
- GCPProjectHierarchy
- generate_profile_id
- generate_timezonesidkey
- GenerateAsBuilt
- GenerateAsBuiltConfiguration
- GenerateASMReport
- GenerateCSR
- GenerateInvestigationSummaryReport
- GeneratePANWIoTDeviceTableQueryForServiceNow
- GeneratePassword
- GenerateRandomJSON
- GenerateRandomString
- GenerateRandomUUID
- GenerateSummaryReportButton
- GenerateSummaryReports
- GenericPollingScheduledTask
- get-endpoint-data
- get-user-data
- GetAskLinks
- getAutomationsCount
- GetAwayUsers
- GetBrandDeleteReportedEmail
- GetByIncidentId
- GetCampaignDuration
- GetCampaignIncidentsIdsAsOptions
- GetCampaignIncidentsInfo
- GetCampaignIndicatorsByIncidentId
- GetCampaignLowerSimilarityIncidentsIdsAsOptions
- GetCampaignLowSimilarityIncidentsInfo
- GetCiscoISEActiveInstance
- getContentPackStatus
- getCustomAutomations
- getCustomPlaybooks
- GetDataCollectionLink
- getDeprecatedAutomations
- getDeprecatedIntegrations
- getDeprecatedPlaybooks
- getDetachedAutomations
- getDetachedPlaybooks
- getDiskSpaceStatus
- getDockerContainersCount
- GetDockerImageLatestTag
- GetDomainDNSDetails
- GetEnabledInstances
- GetEntries
- GetErrorsFromEntry
- GetEWSFolder
- GetFailedTasks
- GetFields
- GetFieldsByIncidentType
- GetFilePathPreProcessing
- GetFolderName
- GetHostName
- GetIdsFromCustomContent
- GetIncidentsApiModule
- GetIncidentsByQuery
- GetIncidentTasks
- GetIncidentTasksByState
- GetIndexOfArrayValue
- GetIndicatorCustomFieldsByQuery
- GetIndicatorDBotScore
- GetIndicatorDBotScoreFromCache
- GetIndicatorDBotScoreFromContext
- GetIndicatorsByQuery
- GetInstanceName
- GetInstances
- getInvHealthStatus
- GetLicenseID
- GetListDatawithKeyword
- GetListRow
- GetMessageIdAndRecipients
- getMlFeatures
- GetMLModelEvaluation
- GetNumberOfUsersOnCall
- GetOnCallHoursPerUser
- getPlaybooksCount
- getPlaybooksHealthStatus
- GetPrBranches
- GetProjectOwners
- GetRange
- GetRestoredVmName
- GetRolesPerShift
- GetSendEmailInstances
- GetServerInfo
- GetServerURL
- GetShiftsPerUser
- GetSlackBlockBuilderResponse
- GetStringsDistance
- getSystemHealthStatus
- GetTasksWithSections
- GetTime
- GetUsersOnCall
- GetUsersOOO
- GetValuesOfMultipleFields
- getWorkersCount
- GIBIncidentUpdate
- GIBIncidentUpdateIncludingClosed
- GLPIIncidentStatus
- GoogleappsRevokeUserRole
- GoogleAuthURL
- GRAAnalyticalFeatureDisplay
- GRAAnomaliesDisplay
- GRAUpdateCaseStatus
- GreaterCidrNumAddresses
- GridFieldSetup
- GrrGetFiles
- GrrGetFlows
- GrrGetHunt
- GrrGetHunts
- GrrSetFlows
- GrrSetHunts
- GSuiteApiModule
- GZipFile
- HashIncidentsFields
- HealthCheckAPIvalidation
- HealthCheckCommonIndicators
- HealthCheckContainersStatus
- HealthCheckCPU
- HealthCheckDiskUsage
- HealthCheckDiskUsageLine
- HealthCheckFields
- HealthCheckIncidentsCreatedDaily
- HealthCheckIncidentsCreatedMonthly
- HealthCheckIncidentsCreatedWeekly
- HealthCheckIncidentTypes
- HealthCheckInstalledPacks
- HealthCheckIntegrations
- HealthCheckMemory
- HealthCheckNumberOfDroppedIncidents
- HealthCheckPlaybookAnalysis
- HealthCheckServerConfiguration
- HealthCheckSystemDiagnostics
- HealthCheckWorkers
- HelloWorldScript
- Hey
- hideFieldsOnNewIncident
- HighlightWords
- HtmlDifflabDynamic
- HtmlDifflibCheck
- HtmlPhishingCheck
- http
- HTTPFeedApiModule
- HTTPListRedirects
- HttpV2
- IAMApiModule
- IAMInitOktaUser
- IbmAddNote
- IbmAddTask
- IbmConvertArtifactsToTable
- IbmConvertAttachmentsToTable
- IbmConvertCommentsToTable
- IbmConvertTasksToTable
- IbmUpdateNote
- IbmUpdateTask
- IbmUploadAttachment
- IdentifyAttachedEmail
- If-Elif
- If-Then-Else
- IgnoreFieldsFromJson
- imagecompare
- ImportMLModel
- ImpSfListEndpoints
- ImpSfRevokeUnaccessedDevices
- ImpSfScheduleTask
- ImpSfSetEndpointStatus
- IncapGetAppInfo
- IncapGetDomainApproverEmail
- IncapListSites
- IncapScheduleTask
- IncapWhitelistCompliance
- IncidentAddSystem
- IncidentFields
- IncidentsCheck-NumberofIncidentsNoOwner
- IncidentsCheck-NumberofIncidentsWithErrors
- IncidentsCheck-NumberofTotalEntriesErrors
- IncidentsCheck-PlaybooksFailingCommands
- IncidentsCheck-PlaybooksHealthNames
- IncidentsCheck-Widget-CommandsNames
- IncidentsCheck-Widget-CreationDate
- IncidentsCheck-Widget-IncidentsErrorsInfo
- IncidentsCheck-Widget-NumberFailingIncidents
- IncidentsCheck-Widget-NumberofErrors
- IncidentsCheck-Widget-PlaybookNames
- IncidentsCheck-Widget-UnassignedFailingIncidents
- IncidentState
- IncOwnerToBonuslyUser
- IncreaseIncidentSeverity
- IndicatorMaliciousRatioCalculation
- Indicators-type
- InferWhetherServiceIsDev
- InRange
- InstancesCheck-FailedCategories
- InstancesCheck-NumberofEnabledInstances
- InstancesCheck-NumberofFailedInstances
- IntegrationsCheck-Widget-IntegrationsCategory
- IntegrationsCheck-Widget-IntegrationsErrorsInfo
- IntegrationsCheck-Widget-NumberChecked
- IntegrationsCheck-Widget-NumberFailingInstances
- IntezerRunScanner
- IntezerScanHost
- InvertEveryTwoItems
- InvestigationDetailedSummaryParse
- InvestigationDetailedSummaryToTable
- InvestigationSummaryParse
- InvestigationSummaryToTable
- iot-security-alert-post-processing
- iot-security-check-servicenow
- iot-security-get-raci
- iot-security-vuln-post-processing
- IPCalcCheckSubnetCollision
- IPCalcReturnAddressBinary
- IPCalcReturnAddressIANAAllocation
- IPCalcReturnSubnetAddresses
- IPCalcReturnSubnetBroadcastAddress
- IPCalcReturnSubnetNetwork
- IPNetwork
- IPReputation
- IPToHost
- IPv4Blacklist
- IPv4Whitelist
- IqHubLog
- IronscalesEmailFieldTrigger
- isArrayItemInList
- IsDemistoRestAPIInstanceAvailable
- IsDomainInternal
- IsEmailAddressInternal
- isError
- IsGreaterThan
- IsIncidentPartOfCampaign
- IsInCidrRanges
- IsIntegrationAvailable
- IsInternalDomainName
- IsInternalHostName
- IsIPInRanges
- IsIPPrivate
- IsListExist
- IsMaliciousIndicatorFound
- IsNotInCidrRanges
- IsolationAssetWrapper
- IsPDFFileEncrypted
- IsRFC1918Address
- IsTrue
- IsUrlPartOfDomain
- IsValueInArray
- IvantiHeatCloseIncidentExample
- IvantiHeatCreateIncidentExample
- IvantiHeatCreateProblemExample
- JiraAddComment
- JiraChangeStatus
- JiraCreateIssue-example
- JiraListStatus
- JIRAPrintIssue
- JiraV3ConvertAttachmentsToTable
- JiraV3ConvertCommentsToTable
- JiraV3ConvertSubtasksToTable
- jmespath
- JobCreator
- JoinIfSingleElementOnly
- JoinListsOfDicts
- jq
- Json2HtmlTable
- JSONFeedApiModule
- JSONFileToCSV
- JSONtoCSV
- JsonToTable
- JsonUnescape
- KeylightCreateIssue
- KillProcessWrapper
- LanguageDetect
- LastArrayElement
- LCMAcknowledgeHost
- LCMDetectedEntities
- LCMDetectedIndicators
- LCMHosts
- LCMIndicatorsForEntity
- LCMPathFinderScanHost
- LCMResolveHost
- LCMSetHostComment
- LessThanPercentage
- LinkIncidentsButton
- LinkIncidentsWithRetry
- LinkToPhishingCampaign
- ListDeviceEvents
- listExecutedCommands
- ListGroupBy
- ListInstalledContentPacks
- ListPlaybookAutomationsCommands
- ListUsedDockerImages
- LoadJSON
- LoadJSONFileToContext
- LookupCSV
- LowerCidrNumAddresses
- MakePair
- MaliciousRatioReputation
- ManageOOOusers
- MapPattern
- MapRaDarkIncidentDetails
- MapRangeValues
- MapValues
- MapValuesTransformer
- MarkAsEvidenceBySearch
- MarkAsEvidenceByTag
- MarkAsNoteBySearch
- MarkAsNoteByTag
- MarkdownToHTML
- MarketplacePackInstaller
- MarkRelatedIncidents
- MatchIPinCIDRIndicators
- MatchRegex
- MatchRegexV2
- MathUtil
- MattermostAskUser
- MaxList
- MergeDictArray
- MicrosoftApiModule
- MicrosoftAzureStorageApiModule
- MicrosoftGraphMailApiModule
- MicrosoftSentinelConvertAlertsToTable
- MicrosoftSentinelConvertCommentsToTable
- MicrosoftSentinelConvertEntitiesToTable
- MicrosoftSentinelConvertRelationsToTable
- MicrosoftSentinelSetOwner
- MicrosoftSentinelSubmitNewComment
- MicrosoftTeamsAsk
- MimecastFindEmail
- MimecastQuery
- MinList
- MITREIndicatorsByOpenIncidents
- MITREIndicatorsByOpenIncidentsV2
- MITRENameByID_Formatter
- ModifyDateTime
- MS365DefenderCountIncidentCategories
- MS365DefenderUserListToTable
- MSEScoreWidget
- MyToDoTasksWidget
- NCSCReportDetails
- NCSCReportDetails_A
- NCSCReportDetails_B
- NCSCReportDetails_C
- NCSCReportDetails_D
- NCSCReportOverview
- NetwitnessQuery
- NetwitnessSAAddEventsToIncident
- NetwitnessSACreateIncident
- NetwitnessSAGetAvailableAssignees
- NexposeCreateIncidentsFromAssets
- NexposeEmailParser
- NexposeEmailParserForVuln
- NexposeVulnExtractor
- NGINXApiModule
- NotInContextVerification
- NumberOfPhishingAttemptPerUser
- OktaApiModule
- Oletools
- OnboardingCleanup
- OnionURLReputation
- OSQueryBasicQuery
- OSQueryLoggedInUsers
- OSQueryOpenSockets
- OSQueryProcesses
- OSQueryUsers
- Osxcollector
- OutOfOfficeListCleanup
- PadZeros
- PagerDutyAlertOnIncident
- PagerDutyAssignOnCallUser
- PanoramaCVECoverage
- PanoramaSecurityPolicyMatchWrapper
- PanwIndicatorCreateQueries
- ParseCSV
- ParseEmailFiles
- ParseEmailFilesV2
- ParseExcel
- ParseHTMLIndicators
- ParseHTMLTables
- ParseJSON
- ParseWordDoc
- ParseYAML
- PcapConvert
- PcapExtractStreams
- PcapFileExtractor
- PcapFileExtractStreams
- PcapHTTPExtractor
- PCAPMiner
- PcapMinerV2
- PCComputeContainerComplianceIssuesButton
- PCComputeHostComplianceIssuesButton
- PCComputeImageComplianceIssuesButton
- PDFUnlocker
- PenfieldAssign
- PerformActionOnCampaignIncidents
- PHash
- Ping
- PopulateCriticalAssets
- PortListenCheck
- PositiveDetectionsVSDetectionEngines
- PrepareArcannaRawJson
- PreprocessEmail
- PreProcessImage
- PrettyPrint
- PrintContext
- PrintErrorEntry
- PrintRaw
- PrintToAlert
- PrintToIncident
- PrintToParentIncident
- PrismaCloudAttribution
- PrismaCloudComputeComplianceTable
- PrismaCloudComputeParseCloudDiscoveryAlert
- PrismaCloudComputeParseComplianceAlert
- PrismaCloudComputeParseVulnerabilityAlert
- PrismaCloudLocalTrustedImagesListUpdate
- PrismaCloudRemoteTrustedImagesListUpdate
- ProductJoin
- ProofpointTAPMostAttackedUsers
- ProofpointTapTopClickers
- ProvidesCommand
- PTEnrich
- PublishEntriesToContext
- PublishThreatIntelReport
- PWEventPcapDownload
- PWObservationPcapDownload
- QRadarCreateAQLQuery
- QRadarFetchedEventsSum
- QRadarMagnitude
- QRadarMirroringEventsStatus
- QRadarPrintAssets
- QRadarPrintEvents
- qrcodereader
- QualysCreateIncidentFromReport
- RandomElementFromList
- RandomPhotoNasa
- RankServiceOwners
- RapidBreachResponse-CompletedTasksCount-Widget
- RapidBreachResponse-EradicationTasksCount-Widget
- RapidBreachResponse-HuntingTasksCount-Widget
- RapidBreachResponse-MitigationTasksCount-Widget
- RapidBreachResponse-RemainingTasksCount-Widget
- RapidBreachResponse-RemediationTasksCount-Widget
- RapidBreachResponse-TotalIndicatorCount-Widget
- RapidBreachResponse-TotalTasksCount-Widget
- RapidBreachResponseParseBlog
- RasterizeImageOriginal
- RasterizeImageSuspicious
- RCSScan
- ReadFile
- ReadNetstatFile
- ReadNetstatFileWrapper
- ReadPDFFileV2
- ReadProcessesFile
- ReadProcessesFileXDR
- ReadProcessFileWrapper
- ReadQRCode
- RecordedFutureDomainRiskList
- RecordedFutureHashRiskList
- RecordedFutureIPRiskList
- RecordedFutureURLRiskList
- RecordedFutureVulnerabilityRiskList
- redactindicator
- RegexExpand
- RegexExtractAll
- RegexReplace
- RegistryParse
- RegPathReputationBasicLists
- RemediationPathRuleEvaluation
- RemoteExec
- RemoveEmpty
- RemoveEmptyEvidence
- RemoveFileWrapper
- RemoveKeyFromList
- RemoveMatches
- ReplaceMatchGroup
- RepopulateFiles
- ResolveGemAlert
- ResolveShortenedURL
- RestartFailedTasks
- RetrievePlaybookDependencies
- RetrievePlaybooksAndIntegrations
- ReverseList
- RiskIQDigitalFootprintAssetDetailsWidgetScript
- RiskIQPassiveTotalComponentsScript
- RiskIQPassiveTotalComponentsWidgetScript
- RiskIQPassiveTotalHostPairChildrenScript
- RiskIQPassiveTotalHostPairParentsScript
- RiskIQPassiveTotalHostPairsChildrenWidgetScript
- RiskIQPassiveTotalHostPairsParentsWidgetScript
- RiskIQPassiveTotalPDNSScript
- RiskIQPassiveTotalPDNSWidgetScript
- RiskIQPassiveTotalSSLForIssuerEmailWidgetScript
- RiskIQPassiveTotalSSLForSubjectEmailWidgetScript
- RiskIQPassiveTotalSSLScript
- RiskIQPassiveTotalSSLWidgetScript
- RiskIQPassiveTotalTrackersScript
- RiskIQPassiveTotalTrackersWidgetScript
- RiskIQPassiveTotalWhoisScript
- RiskIQPassiveTotalWhoisWidgetScript
- RiskSenseGetRansomewareCVEScript
- RSA_DisplayMetasEvents
- RSA_GetRawLog
- RSSWidget
- RSSWidget_LC
- RubrikCDMClusterConnectionState
- RubrikRadarFilesAdded
- RubrikRadarFilesDeleted
- RubrikRadarFilesModified
- RubrikSetIncidentSeverityUsingWorkLoadRiskLevel
- RubrikSonarFileHits
- RubrikSonarOpenAccessFileHits
- RubrikSonarOpenAccessFiles
- RubrikSonarSensitiveHits
- RubrikSonarSetIncidentSeverityUsingUserRiskLevel
- RubrikSonarTotalHits
- RunCPPhishingCampaign
- RunDockerCommand
- RunPollingCommand
- SalesforceAskUser
- SandboxDetonateFile
- SanePdfReports
- SbDownload
- SbQuery
- SbQuota
- SbUpload
- ScheduleCommand
- ScheduleGenericPolling
- SCPPullFiles
- script-JiraChangeTransition
- script-JiraListTransition
- SearchIncidentsSummary
- SearchIncidentsV2
- SearchIndicator
- SearchIndicatorRelationships
- SecuronixCloseHistoricalXSOARIncidents
- SecuronixGetViolations
- SekoiaXDRAddComment
- SekoiaXDRChangeStatus
- SekoiaXDRPrintAssets
- SekoiaXDRPrintCase
- SekoiaXDRPrintComments
- SendAllPANWIoTAssetsToSIEM
- SendAllPANWIoTDevicesToCiscoISE
- SendAllPANWIoTDevicesToServiceNow
- SendCPAction
- SendEmailOnSLABreach
- SendEmailReply
- SendEmailToCampaignRecipients
- SendEmailToManager
- SendMessageToOnlineUsers
- SendPANWIoTDevicesToCiscoISE
- SEPCheckOutdatedEndpoints
- ServerLogs
- ServerLogs_docker
- ServiceNowApiModule
- ServiceNowCreateIncident
- ServiceNowIncidentStatus
- ServiceNowQueryIncident
- ServiceNowTroubleshoot
- ServiceNowUpdateIncident
- Set
- SetAndHandleEmpty
- SetByIncidentId
- SetDateField
- SetGridField
- SetIfEmpty
- SetIndicatorGridField
- SetIndicatorTableData
- SetIRProceduresMarkdown
- SetMultipleValues
- SetPhishingCampaignDetails
- SetRDPOverallScore
- SetRSANetWitnessAlertsMD
- SetSeverityByScore
- SetTagsBySearch
- SetThreatVaultIncidentMarkdownRepresentation
- SetTime
- SetWithTemplate
- ShowCampaignHighestSeverity
- ShowCampaignIncidentsOwners
- ShowCampaignLastIncidentOccurred
- ShowCampaignRecipients
- ShowCampaignSenders
- ShowCampaignSimilarityRange
- ShowCampaignUniqueRecipients
- ShowCampaignUniqueSenders
- ShowCPEmailInfo
- ShowCPScanInfo
- ShowIncidentIndicators
- ShowLocationOnMap
- ShowNumberOfCampaignIncidents
- ShowOnMap
- ShowScheduledEntries
- SiemAPIModule
- sigma-button-convert
- SigmaConverttoQuery
- SimpleDebugger
- SixgillSearchIndicators
- SlackAsk
- SlackAskV2
- SlackBlockBuilder
- Sleep
- SnmpDetection
- SortBy
- SplitCampaignContext
- Splunk_ShortID
- SplunkAddComment
- SplunkCIMFields
- SplunkConvertCommentsToTable
- SplunkEmailParser
- SplunkPySearch
- SplunkShowAsset
- SplunkShowDrilldown
- SplunkShowIdentity
- SSDeepReputation
- SSDeepSimilarity
- SSIMScoreWidget
- SSLVerifierV2
- SSLVerifierV2_GenerateEmailBody
- SSLVerifierV2_ParseOutput
- STA-FetchListContent
- STA-PostProcessing
- StaticAnalyze
- StixCreator
- StixParser
- StopScheduledTask
- StopTimeToAssignOnOwnerChange
- StringContainsArray
- StringifyArray
- StringLength
- StringReplace
- Strings
- StringSifter
- StringSimilarity
- StringToArray
- StripAccentMarksFromString
- StripChars
- SuggestBranchName
- SumList
- SummarizeEmailThreads
- TagIndicatorButton
- TaniumFilterComputersByIndexQueryFileDetails
- TAXII2ApiModule
- TextFromHTML
- ThreatIntelManagementGetIncidentsPerFeed
- ThreatstreamBuildIocImportJson
- ThreeDigitAlphaCountryCodeToCountryName
- ticksToTime
- TimeComponents
- TimersOnOwnerChange
- TimeStampCompare
- TimeStampToDate
- TimeToNextShift
- TopMaliciousRatioIndicators
- ToTable
- TransformIndicatorToCSFalconIOC
- TransformIndicatorToMSDefenderIOC
- TrendmicroAlertStatus
- TrendmicroAntiMalwareEventRetrieve
- TrendMicroClassifier
- TrendMicroGetHostID
- TrendMicroGetPolicyID
- TrendmicroHostAntimalwareScan
- TrendmicroHostRetrieveAll
- TrendmicroSecurityProfileAssignToHost
- TrendmicroSecurityProfileRetrieveAll
- TrendmicroSystemEventRetrieve
- TroubleshootAggregateResults
- TroubleshootCloseAlertsByQuery
- TroubleshootExecuteCommand
- TroubleshootExecutePlaybookByAlertQuery
- TroubleshootGetCommandandArgs
- TroubleshootGetInstanceParameters
- TroubleshootInstanceField
- TroubleshootIsDockerImageExists
- TroubleshootTestInstance
- UnEscapeIPs
- UnEscapeURLs
- UnitTestResults
- UnPackFile
- UnpublishThreatIntelReport
- UnzipFile
- UnzipGZFile
- UpdateSecuronixIncidentStatus
- UploadFile
- URLDecode
- URLEncode
- URLNumberOfAds
- URLReputation
- UrlscanGetHttpTransactions
- URLSSLVerification
- UserEnrichAD
- UtilAnyResults
- ValidateContent
- varonis-alert-post-processing
- VectraDetectAddNotesInLayouts
- VectraDetectCloseDuplicateIncidents
- VectraDetectDisplayDetections
- VectraXDRAddNotesInLayout
- VectraXDRDisplayEntityDetections
- VectraXDRSyncEntityAssignment
- VectraXDRSyncEntityDetections
- VerdictResult
- VerifyCIDR
- VerifyEnoughIncidents
- VerifyHumanReadableContains
- VerifyIntegrationHealth
- VerifyIPv4Indicator
- VerifyIPv6Indicator
- VerifyJSON
- VerifyObjectFieldsList
- VersionEqualTo
- VersionGreaterThan
- VersionLessThan
- VolApihooks
- Volatility
- VolConnscan
- VolDlllist
- VolGetProcWithMalNetConn
- VolImageinfo
- VolJson
- VolLDRModules
- VolMalfind
- VolMalfindDumpAgent
- VolNetworkConnections
- VolPSList
- VolRaw
- VolRunCmds
- WaitAndCompleteTask
- WaitForKey
- WebScraper
- WhereFieldEquals
- XBInfo
- XBLockouts
- XBNotable
- XBTimeline
- XBTriggeredRules
- XBUser
- XCloudAdditionalAlertInformationWidget
- XCloudIdentitiesWidget
- XCloudProviderWidget
- XCloudRegionsPieWidget
- XCloudRelatedAlertsWidget
- XCloudResourcesPieWidget
- XDRConnectedEndpoints
- XDRDisconnectedEndpoints
- XMetrics
- XMetricsTotal
- XMetricsYear
- XQLDSHelper
- xsoar-ws-parse-context
- XSOARAllEDLCheckerAutomation
- XSOARValueMetrics
- YaraScan
- ZipFile
- ZipStrings
- ZoomApiModule
- ZoomAsk
- ZTAPBuildTimeline
- ZTAPExtractFields
- ZTAPParseFields
- ZTAPParseLinks
- ZTAPViewTimeline
- API Reference