Enrich entities using one or more integrations.

Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment.

You must have the necessary permissions in your email service to execute global search.

• EWS: eDiscovery
• Gmail: Google Apps Domain-Wide Delegation of Authority

Enrich accounts using one or more integrations.
Supported integrations:

• Active Directory

This playbook blocks malicious usernames using all integrations that you have enabled.

Supported integrations for this playbook:

• Active Directory
• PAN-OS - This requires PAN-OS 9.1 or higher.

This playbook is used to block files from running on endpoints.
This playbook supports the following integrations:

• Palo Alto Networks Traps
• Palo Alto Networks Cortex XDR
• Cybereason
• Carbon Black Enterprise Response
• Cylance Protect v2

This playbook blocks malicious IPs using all integrations that are enabled.

Supported integrations for this playbook:

• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks PAN-OS
• Zscaler
• FortiGate

This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:

• Block URL - Generic
• Block Account - Generic
• Block IP - Generic v2
• Block File - Generic v2

This playbook blocks malicious URLs using all integrations that are enabled.

Supported integrations for this playbook:

• Palo Alto Networks Minemeld
• Palo Alto Networks PAN-OS
• Zscaler

This playbook performs CVE Enrichment using the following integrations:

• VulnDB
• CVE Search
• IBM X-Force Exchange

Calculates the incident severity level according to the methodology of a 3rd-party integration.

Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
Critical assets refer to: users, user groups, endpoints and endpoint groups.

Calculate and assign the incident severity based on the highest returned severity level from the following calculations:

• DBotScores of indicators
• Critical assets
• Email authenticity
• Current incident severity

Calculates the incident severity level according to the highest indicator DBotScore.

Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.

Calculates the incident severity level according to the highest indicator DBotScore.

This playbook polls a context key to check if a specific value exists.

The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the
original searched hash is recognized by any our the threat intelligence integrations.

Get indicators internal Dbot score

Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.

This playbook identifies duplicate incidents using one of the supported methods.
Select one of the following methods to identify duplicate incidents in Cortex XSOAR.

• ml: Machine learning model, which is trained mostly on phishing incidents.
  -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields.
  -text: Statistics algorithm that compares text, which is generally useful for phishing incidents.
  For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.

Detonate file through active integrations that support file detonation

Detonate URL through active integrations that support URL detonation

Enrich domains using one or more integrations.
Domain enrichment includes:

• Threat information

Enrich email addresses.

• Get information from Active Directory for internal addresses
• Get the domain-squatting reputation for external addresses

Enrich an endpoint by hostname using one or more integrations.
Supported integrations:

• Active Directory Query v2
• McAfee ePolicy Orchestrator
• Carbon Black Enterprise Response v2
• Cylance Protect v2
• CrowdStrike Falcon Host
• ExtraHop Reveal(x)

Enrich entities using one or more integrations

Extracts indicators from a file.
Supported file types:

• CSV
• PDF
• TXT
• HTM, HTML
• DOC, DOCX
• PPT
• PPTX
• RTF
• XLS
• XLSX
• XML

This playbook polls a field to check if a specific value exists.

Get file reputation using one or more integrations

Enrich a file using one or more integrations.

• Provide threat information

Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:

• Get File Sample By Hash - Carbon Black Enterprise Response
• Get File Sample By Hash - Cylance Protect v2

This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:

• Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2.
• Get the threat (file) attached to a specific SHA256 hash - Cylance Protect v2.

Returns a file sample to the war-room from a path on an endpoint using one or more integrations

inputs:

• UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)

This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).

Enrich IP addresses using one or more integrations.

• Resolve IP addresses to hostnames (DNS)
• Provide threat information
• Separate internal and external addresses

Enrich IP addresses using one or more integrations.

• Resolve IP addresses to hostnames (DNS)
• Provide threat information
• Separate internal and external IP addresses
• For internal IP addresses, get host information

Enrich Internal IP addresses using one or more integrations.

• Resolve IP address to hostname (DNS)
• Separate internal and external IP addresses
• Get host information for IP addresses

This playbook isolates a given endpoint using the following integrations:

• Carbon Black Enterprise Response
• Palo Alto Networks Traps

This playbook retrieves a file sample from an endpoint using the following playbooks:

• Get File Sample From Path - Generic
• Get File Sample By Hash - Generic v2

'This playbook retrieves a file sample from an endpoint using the following playbooks:'

• Get File Sample From Path - Generic v2.
• Get File Sample By Hash - Generic v3.

This playbook searches and delete emails with similar attributes of a malicious email.

Hunt for assets with a given CVE using available tools

Hunt using available tools

This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.

You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.

Enrich URLs using one or more integrations.

URL enrichment includes:

• SSL verification for URLs
• Threat information
• Providing of URL screenshots

This playbook unisolates endpoints according to the endpoint ID or hostname that is provided in the playbook.
Currently supports the following integrations:

• Carbon Black Response
• Cortex XDR
• Crowdstrike Falcon
• FireEye HX
• Cybereason

Pauses execution until the date and time that was specified in the plabyook input is reached.