Common Playbooks

Details
Content
Dependencies
Version History
Download With Dependencies

Frequently used playbooks pack.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	August 17, 2020
Last Release	September 29, 2022

WORKS WITH THE FOLLOWING INTEGRATIONS:

O365 - EWS - Extension Online Powershell v2

O365 - Security And Compliance - Content Search

O365 - Security And Compliance - Content Search (beta)

Palo Alto Networks Cortex XDR - Investigation and Response

CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis)

VMware Carbon Black EDR (Live Response API)

Proofpoint Protection Server (Deprecated)

Cisco Secure Cloud Analytics (Stealthwatch Cloud)

Cisco Secure Network Analytics (Stealthwatch)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Playbooks

Name	Description
Isolate Endpoint - Generic V2	This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk Qradar Pan-os Cortex data lake Autofocus Microsoft 365 Defender
Block Domain - Generic v2	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response Cisco Stealthwatch Cloud
File Enrichment - Generic v2	Enrich a file using one or more integrations. Provide threat information
Calculate Severity By Highest DBotScore	Calculates the incident severity level according to the highest DBotScore.
Search Endpoints By Hash - Generic V2	Hunt using available tools
Block Email - Generic	This playbook will block emails at your mail relay integration.
Email Address Enrichment - Generic v2.1	Enrich email addresses. Get information from Active Directory for internal addresses Get the domain-squatting reputation for external addresses
IP Enrichment - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Separate internal and external IP addresses For internal IP addresses, get host information
Calculate Severity - Indicators DBotScore	Calculates the incident severity level according to the highest indicator DBotScore.
Get File Sample By Hash - Generic v3	This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. Get the threat (file) attached to a specific SHA256 hash - Cylance Protect v2.
Block Account - Generic	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher.
Calculate Severity - 3rd-party integrations	Calculates the incident severity level according to the methodology of a 3rd-party integration.
Send Investigation Summary Reports Job	You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.
Get File Sample From Path - Generic V3	This playbook returns a file sample from a specified path and host that you input in the following playbooks: 1) PS Remote Get File Sample From Path. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk - Qradar - Pan-os - Cortex data lake - Autofocus
CVE Enrichment - Generic v2	This playbook performs CVE Enrichment using the following integrations: VulnDB CVE Search IBM X-Force Exchange
Retrieve File from Endpoint - Generic	This playbook retrieves a file sample from an endpoint using the following playbooks: Get File Sample From Path - Generic Get File Sample By Hash - Generic v2
Get File Sample By Hash - Generic v2	This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: Get File Sample By Hash - Carbon Black Enterprise Response Get File Sample By Hash - Cylance Protect v2
Field Polling - Generic	This playbook polls a field to check if a specific value exists.
Retrieve File from Endpoint - Generic V3	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Block IP - Generic v3	This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing) Note the following: some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall Palo Alto Networks PAN-OS Zscaler FortiGate Aria Packet Intelligence Cisco Firepower Cisco Secure Cloud Analytics Cisco ASA Akamai WAF F5 SilverLine ThreatX Signal Sciences WAF Sophos Firewall
Get Email From Email Gateway - Generic	This playbook retrieves a specified EML/MSG file directly from the email security gateway product.
File Enrichment - File reputation	Get file reputation using one or more integrations
Isolate Endpoint - Generic	This playbook isolates a given endpoint using the following integrations: Carbon Black Enterprise Response Palo Alto Networks Traps
Block Domain - Generic	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response
Entity Enrichment - Generic v3	Enrich entities using one or more integrations.
Block Indicators - Generic v3	This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic Block Account - Generic Block IP - Generic v3 Block File - Generic v2 Block Email - Generic Block Domain - Generic
Dedup - Generic v3	This playbook identifies duplicate incidents using one of the supported methods. Select one of the following methods to identify duplicate incidents in Cortex XSOAR. ml: Machine learning model, which is trained mostly on phishing incidents. -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing incidents. For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.
Wait Until Datetime	Pauses execution until the date and time that was specified in the plabyook input is reached.
Detonate URL - Generic	Detonate URL through active integrations that support URL detonation.
Retrieve File from Endpoint - Generic V2	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Dedup - Generic v4	This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database. Note: To identify similar incidents you must must properly define the playbook inputs.
Block Email - Generic v2	This playbook will block emails at your mail relay integration. Supported integrations for this playbook: Mimecast FireEye Email Security (EX) Cisco Email Security Symantec Email Security
Calculate Severity - Generic v2	Calculate and assign the incident severity based on the highest returned severity level from the following calculations: DBotScores of indicators Critical assets Email authenticity Current incident severity Microsoft Headers
Context Polling - Generic	This playbook polls a context key to check if a specific value exists.
URL Enrichment - Generic v2	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs Threat information Providing of URL screenshots
Endpoint Enrichment - Generic v2.1	Enrich an endpoint by hostname using one or more integrations. Supported integrations: Active Directory Query v2 McAfee ePolicy Orchestrator Carbon Black Enterprise Response v2 Cylance Protect v2 CrowdStrike Falcon Host ExtraHop Reveal(x)
Domain Enrichment - Generic v2	Enrich domains using one or more integrations. Domain enrichment includes: Threat information
Detonate File - Generic	Detonate file through active integrations that support file detonation
IP Enrichment - External - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Separate internal and external addresses
Get host forensics - Generic	This playbook retrieves forensics from hosts for the following integrations: Illusive Networks Microsoft Defender For Endpoint
Send Investigation Summary Reports	This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.
Block Indicators - Generic v2	This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic Block Account - Generic Block IP - Generic v2 Block File - Generic v2 Block Email - Generic Block Domain - Generic
Search And Delete Emails - Generic	This playbook searches and delete emails with similar attributes of a malicious email.
Dedup - Generic v2	Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Block Account - Generic v2	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher. SailPoint PingOne AWS IAM Clarizen IAM Envoy IAM ExceedLMS IAM Okta
Unisolate Endpoint - Generic	This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations: Carbon Black Response Cortex XDR Crowdstrike Falcon FireEye HX Cybereason Microsoft Defender For Endpoint
Email Headers Check - Generic	This playbook executes one sub-playbook and one automation to check the email headers: Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score). CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.
Block IP - Generic v2	This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler FortiGate
IP Enrichment - Internal - Generic v2	Enrich Internal IP addresses using one or more integrations. Resolve IP address to hostname (DNS) Separate internal and external IP addresses Get host information for IP addresses
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: Active Directory
Calculate Severity - Standard	Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
Command-Line Analysis	This playbook takes the command line from the alert and performs the following actions: Checks for base64 string and decodes if exists Extracts and enriches indicators from the command line Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: Indicators found in the command line Found AMSI techniques Found suspicious parameters Usage of malicious tools Indication of network activity
Get endpoint details - Generic	This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: Palo Alto Networks Cortex XDR - Investigation and Response. CrowdStrike Falcon.
Search And Delete Emails - Generic v2	This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense
Block URL - Generic	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler
Extract Indicators From File - Generic v2	This playbook extracts indicators from a file. Supported file types: CSV PDF TXT HTM, HTML DOC, DOCX PPT PPTX RTF XLS XLSX XML
Get Original Email - Generic	Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your email service to execute global search. EWS: eDiscovery Gmail: Google Apps Domain-Wide Delegation of Authority
Get File Sample From Path - Generic	Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Convert file hash to corresponding hashes	The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations.
Block File - Generic v2	This playbook is used to block files from running on endpoints. This playbook supports the following integrations: Palo Alto Networks Traps Palo Alto Networks Cortex XDR Cybereason Carbon Black Enterprise Response Cylance Protect v2
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: Active Directory SailPoint IdentityNow SailPoint IdentityIQ PingOne Okta AWS IAM Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations. For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
Get File Sample From Path - Generic V2	This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Entity Enrichment - Generic v2	Enrich entities using one or more integrations
Calculate Severity - Critical Assets v2	Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups.
Detonate and Analyze File - Generic	This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon X and Wildfire.
Search And Delete Emails - Generic v2	This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense
Block URL - Generic v2	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks PAN-OS Zscaler Sophos Forcepoint Checkpoint Netcraft
GenericPolling	Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: Initiate the operation. Poll to check if the operation completed. (optional) Get the results of the operation.
Search Endpoint by CVE - Generic	Hunt for assets with a given CVE using available tools
DBot Indicator Enrichment - Generic	Get indicators internal Dbot score
Search For Hash In Sandbox - Generic	This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently supported sandboxes are Falcon X and Wildfire.

Required Content Packs (6)

Pack Name	Pack By
CommonScripts	By: Cortex XSOAR
FiltersAndTransformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
CommonTypes	By: Cortex XSOAR
rasterize	By: Cortex XSOAR
DemistoRESTAPI	By: Cortex XSOAR

Optional Content Packs (98)

Pack Name	Pack By
EWS	By: Cortex XSOAR
PAN-OS	By: Cortex XSOAR
Cylance_Protect	By: Cortex XSOAR
FireEyeEX	By: Cortex XSOAR
PingIdentity	By: Partner
CiscoEmailSecurity	By: Cortex XSOAR
McAfee-TIE	By: Cortex XSOAR
SplunkPy	By: Cortex XSOAR
Microsoft365Defender	By: Cortex XSOAR
Oracle_IAM	By: Cortex XSOAR
SignalSciences	By: Cortex XSOAR
Kenna	By: Cortex XSOAR
PrismaCloud	By: Cortex XSOAR
PaloAltoNetworks_PAN_OS_EDL_Management	By: Cortex XSOAR
Anomali_ThreatStream	By: Cortex XSOAR
Threat_Crowd	By: Cortex XSOAR
Symantec_Messaging_Gateway	By: Cortex XSOAR
VirusTotal	By: Partner
SailPointIdentityNow	By: Partner
Active_Directory_Query	By: Cortex XSOAR
CiscoStealthwatch	By: Cortex XSOAR
GitHub	By: Cortex XSOAR
FortiGate	By: Cortex XSOAR
CrowdStrikeFalconSandbox	By: Cortex XSOAR
ARIAPacketIntelligence	By: Partner
SalesforceFusion	By: Cortex XSOAR
CarbonBlackProtect	By: Cortex XSOAR
Attlasian	By: Cortex XSOAR
QRadar	By: Cortex XSOAR
Lastline	By: Cortex XSOAR
HatchingTriage	By: Partner
PANWComprehensiveInvestigation	By: Cortex XSOAR
Code42	By: Partner
VMRay	By: Partner
ImageOCR	By: Cortex XSOAR
Carbon_Black_Enterprise_Live_Response	By: Cortex XSOAR
VirusTotal-Private_API	By: Partner
AgariPhishingDefense	By: Partner
SophosXGFirewall	By: Cortex XSOAR
CiscoFirepower	By: Cortex XSOAR
FeedMitreAttackv2	By: Cortex XSOAR
Akamai_WAF	By: Cortex XSOAR
ProofpointThreatResponse	By: Cortex XSOAR
RiskSense	By: Partner
IllusiveNetworks	By: Partner
Okta	By: Cortex XSOAR
AWS-IAM	By: Cortex XSOAR
McAfee_Advanced_Threat_Defense	By: Cortex XSOAR
ThreatX	By: Cortex XSOAR
CrowdStrikeHost	By: Cortex XSOAR
AWS-ILM	By: Cortex XSOAR
fireeye	By: Cortex XSOAR
Forcepoint	By: Cortex XSOAR
Slack	By: Cortex XSOAR
ExceedLMS	By: Cortex XSOAR
F5Silverline	By: Cortex XSOAR
ThreatGrid	By: Cortex XSOAR
SAP_IAM	By: Cortex XSOAR
VulnDB	By: Cortex XSOAR
WindowsForensics	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR
Cybereason	By: Cortex XSOAR
CrowdStrikeFalcon	By: Cortex XSOAR
CrowdStrikeFalconX	By: Cortex XSOAR
CheckpointFirewall	By: Cortex XSOAR
JoeSecurity	By: Cortex XSOAR
CuckooSandbox	By: Cortex XSOAR
Mimecast	By: Cortex XSOAR
ANYRUN	By: Cortex XSOAR
Stealthwatch_Cloud	By: Cortex XSOAR
TrendMicroApex	By: Cortex XSOAR
epo	By: Cortex XSOAR
CortexXDR	By: Cortex XSOAR
Salesforce	By: Cortex XSOAR
Carbon_Black_Enterprise_Response	By: Cortex XSOAR
FireEyeHX	By: Cortex XSOAR
D2	By: Cortex XSOAR
MicrosoftDefenderAdvancedThreatProtection	By: Cortex XSOAR
SecneurXAnalysis	By: Partner
Clarizen	By: Cortex XSOAR
CiscoASA	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
ProofpointServerProtection	By: Cortex XSOAR
Zscaler	By: Cortex XSOAR
Rapid7_Nexpose	By: Cortex XSOAR
Polygon	By: Partner
SNDBOX	By: Cortex XSOAR
Netcraft	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
XForceExchange	By: Cortex XSOAR
ExtraHop	By: Partner
HybridAnalysis	By: Cortex XSOAR
Palo_Alto_Networks_WildFire	By: Cortex XSOAR
HelloIAMWorld	By: Cortex XSOAR
Envoy	By: Cortex XSOAR
SailPointIdentityIQ	By: Partner
Cisco-umbrella	By: Cortex XSOAR
Zoom	By: Cortex XSOAR

2.3.4 - 3755666 (September 29, 2022)

Playbooks

Search And Delete Emails - Generic v2

Fixed an issue that caused playbook inputs.

Related pull requests:
- 21190
- 21553

Download

2.3.3 - 3695247 (September 20, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21262

Download

2.3.2 - 3687475 (September 19, 2022)

Playbooks

Account Enrichment - Generic v2.1

The playbook now retrieves account's manager email address from Active Directory.

Related pull requests:
- 21222

Download

2.3.1 - 3635034 (September 10, 2022)

Playbooks

Detonate File - Generic

Added support for SecneurX Analysis.

Detonate URL - Generic

Added support for SecneurX Analysis.

Related pull requests:
- 21137
- 20219

Download

2.3.0 - 3598686 (September 5, 2022)

Playbooks

Account Enrichment - Generic v2.1

Enrich accounts using one or more integrations.
Supported integrations:

Active Directory
SailPoint IdentityNow
SailPoint IdentityIQ
PingOne
Okta
AWS IAM
Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations. For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
(Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 20776

Download

2.2.15 - 3596419 (September 4, 2022)

Playbooks

New: Block Email - Generic v2

Added support for block emails at your mail relay integration.
You can now use these supported integrations for this playbook:
Mimecast
FireEye Email Security (EX)
Cisco Email Security
Symantec Email Security (Available from Cortex XSOAR 6.5.0).

New: Block URL - Generic v2

Added support for blocking malicious URLs using all integrations that are enabled.
You can now use these supported integrations for this playbook:
Palo Alto Networks PAN-OS
Zscaler
Sophos
Forcepoint
Checkpoint
Netcraft (Available from Cortex XSOAR 6.5.0).

New: Block Domain - Generic v2

Added support for blocking malicious Domains using all integrations that are enabled.
You can now use these supported integrations for this playbook:
Zscaler
Symantec Messaging Gateway
FireEye EX
Trend Micro Apex One
Proofpoint Threat Response
Cisco Stealthwatch Cloud (Available from Cortex XSOAR 6.5.0).

New: Block Indicators - Generic v3

Added support for blocking malicious Indicators using all integrations that are enabled, using the following sub-playbooks:
Block IP - Generic v3
Block File - Generic v2
Block Account - Generic v2
Block Email - Generic
Block Domain - Generic
Block URL - Generic v2 (Available from Cortex XSOAR 6.5.0).

New: Block Account - Generic v2

Added support for blocking malicious usernames using all integrations that you have enabled.
You can now use these supported integrations for this playbook:
Active Directory
PAN-OS - This requires PAN-OS 9.1 or higher.
SailPoint
PingOne
AWS IAM
Clarizen IAM
Envoy IAM
ExceedLMS IAM
Okta (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 20406

Download

2.2.14 - 3551782 (August 28, 2022)

Playbooks

Command-Line Analysis

Fixed an issues where the command-line was parsed incorrectly which caused errors in the playbook.

Related pull requests:
- 20509
- 20298

Download

2.2.13 - 3506185 (August 21, 2022)

Playbooks

Block Email - Generic

Added the Mimecast - Block Sender Email subplaybook.

Related pull requests:
- 20406
- 20518
- 20533

Download

2.2.12 - 3427401 (August 9, 2022)

Playbooks

Search And Delete Emails - Generic v2

Fixed an issue where the "Only EWS enabled" condition fails to match.

Extract Indicators From File - Generic v2

Fixed an issue where the playbook failed with .xlsm file extension.

Related pull requests:
- 19977

Download

2.2.10 - 3287093 (July 18, 2022)

Playbooks

Email Headers Check - Generic

Enabled skip if unavailable option on task 'Authenticate email'.

Dedup - Generic v3

Enabled skip if unavailable option on task 'Identify Phishing duplicates using ML'.

Related pull requests:
- 20044

Download

2.2.9 - 3250424 (July 12, 2022)

Playbooks

File Enrichment - Generic v2

Added support for Virus Total (API v3) file enrichment.

Related pull requests:
- 19970

Download

2.2.8 - 3240754 (July 11, 2022)

Playbooks

Detonate URL - Generic

Added support for additional vendors in the Detonate URL-Generic playbook.

Related pull requests:
- 19779

Download

2.2.7 - 3208294 (July 5, 2022)

Playbooks

Block Account - Generic

Fixed an issue where the playbook was using deprecated Panorama commands.

Related pull requests:
- 19338

Download

2.2.6 - 3202776 (July 4, 2022)

Playbooks

Containment Plan

Fixes to Containment Plan playbook conditions.

Command-Line Analysis

Fixed an issue with the context path letter case from ExtractedIndicators.file to ExtractedIndicators.File.

Related pull requests:
- 19779
- 19866
- 19624

Download

2.2.4 - 3028777 (June 3, 2022)

Playbooks

Detonate and Analyze File - Generic

Updated playbook outputs.

Search For Hash In Sandbox - Generic

Improved task logic for hashes not found.
Updated playbook outputs.

Related pull requests:
- 19336

Download

2.2.3 - 3008452 (May 31, 2022)

Playbooks

Search For Hash In Sandbox - Generic

Added skip if unavailable.
Improved task logic for hashes not found.

Detonate and Analyze File - Generic

Added skip if unavailable.

Related pull requests:
- 19244
- 19305

Download

2.2.2 - 3002096 (May 29, 2022)

Playbooks

New: Search For Hash In Sandbox - Generic

This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently supported sandboxes are Falcon X and Wildfire. (Available from Cortex XSOAR 6.5.0).

New: Detonate and Analyze File - Generic

This playbook uploads, detonates, and analyzes files for the supported sandboxes. Currently supported sandboxes are Falcon X and Wildfire (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 19240
- 19244

Download

2.2.1 - 2988482 (May 26, 2022)

Playbooks

Get host forensics - Generic

Added Microsoft Defender For Endpoint - Collect Investigation Package to the playbook flow.

PUBLISHER

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Playbooks

Search And Delete Emails - Generic v2

Playbooks

Account Enrichment - Generic v2.1

Playbooks

Detonate File - Generic

Detonate URL - Generic

Playbooks

Account Enrichment - Generic v2.1

Playbooks

New: Block Email - Generic v2

New: Block URL - Generic v2

New: Block Domain - Generic v2

New: Block Indicators - Generic v3

New: Block Account - Generic v2

Playbooks

Command-Line Analysis

Playbooks

Block Email - Generic

Playbooks

Search And Delete Emails - Generic v2

Extract Indicators From File - Generic v2

Playbooks

Email Headers Check - Generic

Dedup - Generic v3

Playbooks

File Enrichment - Generic v2

Playbooks

Detonate URL - Generic

Playbooks

Block Account - Generic

Playbooks

Containment Plan

Command-Line Analysis

Playbooks

Detonate and Analyze File - Generic

Search For Hash In Sandbox - Generic

Playbooks

Search For Hash In Sandbox - Generic

Detonate and Analyze File - Generic

Playbooks

New: Search For Hash In Sandbox - Generic

New: Detonate and Analyze File - Generic

Playbooks

Get host forensics - Generic

Playbooks

New: Dedup - Generic v4

Playbooks

Unisolate Endpoint - Generic

Isolate Endpoint - Generic V2

Playbooks

Search And Delete Emails - Generic v2

Playbooks

Containment Plan

Endpoint Investigation Plan

File Reputation

Eradication Plan

Enrichment for Verdict

Playbooks

New: Command-Line Analysis

Playbooks

Threat Hunting - Generic

Playbooks

Containment Plan

Playbooks

New: Enrichment for Verdict

New: Handle False Positive Alerts

New: File Reputation

Playbooks

New: Recovery Plan

New: Endpoint Investigation Plan

New: Eradication Plan

New: Containment Plan

Search And Delete Emails - Generic v2

Playbooks