Enrich a file using one or more integrations.
- Provide threat information
Common Playbooks
- Details
- Content
- Dependencies
- Version History
- Download With Dependencies
Frequently used playbooks pack.
PUBLISHER
Cortex XSOAR
INFO
| Certification | Certified | Read more |
| Supported By | Cortex XSOAR | |
| Created | August 17, 2020 | |
| Last Release | May 22, 2022 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.Playbooks
| Name | Description |
|---|---|
| File Enrichment - Generic v2 | |
| Block Account - Generic | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
| Search And Delete Emails - Generic | This playbook searches and delete emails with similar attributes of a malicious email. |
| Block URL - Generic | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook:
|
| Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
|
| Detonate URL - Generic | Detonate URL through active integrations that support URL detonation. |
| File Reputation | This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components:
Note: a user can provide a list of trusted signers of his own using the playbook inputs |
| Calculate Severity - Indicators DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
| Isolate Endpoint - Generic | This playbook isolates a given endpoint using the following integrations:
|
| Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
| Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
|
| IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations.
|
| Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks: |
| Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations.
|
| Get Original Email - Generic | Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your email service to execute global search.
|
| Email Address Enrichment - Generic v2.1 | Enrich email addresses.
|
| Command-Line Analysis | This playbook takes the command line from the alert and performs the following actions:
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
|
| IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations.
|
| Send Investigation Summary Reports | This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users. |
| Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. |
| Get endpoint details - Generic | This playbook uses the generic command !endpoint to retrieve details on a specific endpoint.
|
| Get File Sample By Hash - Generic v2 | This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:
|
| Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk - Qradar - Pan-os - Cortex data lake - Autofocus |
| Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers:
|
| Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. |
| Endpoint Investigation Plan | This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
|
| Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: - Splunk
|
| Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
| Recovery Plan | This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Block Domain - Generic | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
| Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
| Block Indicators - Generic v2 | This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:
|
| Eradication Plan | This playbook handles all the eradication actions available with Cortex XSIAM, including the following tasks:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations:
|
| IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations.
|
Search Endpoint by CVE - Generic | Hunt for assets with a given CVE using available tools |
| Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
| Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:
|
| DBot Indicator Enrichment - Generic | Get indicators internal Dbot score |
| Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations.
|
| Get File Sample From Path - Generic | Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs:
|
| Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods. |
| Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense |
| Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
| Dedup - Generic v4 | This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). Note: To identify similar incidents you must must properly define the playbook inputs. |
| Containment Plan | This playbook handles all the containment actions available with Cortex XSIAM, including:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Block File - Generic v2 | This playbook is used to block files from running on endpoints.
|
| Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. |
| Retrieve File from Endpoint - Generic | This playbook retrieves a file sample from an endpoint using the following playbooks:
|
| Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense |
| Calculate Severity - Generic v2 | Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
|
| Get File Sample From Path - Generic V2 | This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: |
| Calculate Severity By Highest DBotScore | Calculates the incident severity level according to the highest DBotScore. |
| Domain Enrichment - Generic v2 | Enrich domains using one or more integrations.
|
| Block IP - Generic v2 | This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook:
|
| File Enrichment - File reputation | Get file reputation using one or more integrations |
| Block Email - Generic | This playbook will block emails at your mail relay integration. |
| Calculate Severity - Standard | Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook. |
| Handle False Positive Alerts | This playbook handles false positive alerts. |
| Dedup - Generic v3 | This playbook identifies duplicate incidents using one of the supported methods.
|
| Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
| URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes:
|
| Calculate Severity - 3rd-party integrations | Calculates the incident severity level according to the methodology of a 3rd-party integration. |
| Detonate File - Generic | Detonate file through active integrations that support file detonation |
| Retrieve File from Endpoint - Generic V2 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
| Enrichment for Verdict | This playbook checks prior alert closing reasons and performs enrichment on different IOC types. It then returns the information needed to establish the alert's verdict. |
| Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
| Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file.
|
| Send Investigation Summary Reports Job | You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports. |
| Get host forensics - Generic | This playbook retrieves forensics from hosts.
|
| Search Endpoints By Hash - Generic V2 | Hunt using available tools |
Required Content Packs (5)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| FiltersAndTransformers | By: Cortex XSOAR |
| CommonTypes | By: Cortex XSOAR |
| CommonScripts | By: Cortex XSOAR |
| rasterize | By: Cortex XSOAR |
Optional Content Packs (71)
| Pack Name | Pack By |
|---|---|
| Microsoft365Defender | By: Cortex XSOAR |
| CrowdStrikeFalcon | By: Cortex XSOAR |
| CrowdStrikeHost | By: Cortex XSOAR |
| ImageOCR | By: Cortex XSOAR |
| CrowdStrikeFalconSandbox | By: Cortex XSOAR |
| McAfee-TIE | By: Cortex XSOAR |
| ARIAPacketIntelligence | By: Partner |
| CarbonBlackProtect | By: Cortex XSOAR |
| EWS | By: Cortex XSOAR |
| Akamai_WAF | By: Cortex XSOAR |
| VirusTotal-Private_API | By: Partner |
| XForceExchange | By: Cortex XSOAR |
| JoeSecurity | By: Cortex XSOAR |
| HybridAnalysis | By: Cortex XSOAR |
| PAN-OS | By: Cortex XSOAR |
| Active_Directory_Query | By: Cortex XSOAR |
| Zscaler | By: Cortex XSOAR |
| CheckpointFirewall | By: Cortex XSOAR |
| Kenna | By: Cortex XSOAR |
| FortiGate | By: Cortex XSOAR |
| VMRay | By: Partner |
| WindowsForensics | By: Cortex XSOAR |
| Carbon_Black_Enterprise_Live_Response | By: Cortex XSOAR |
| ProofpointThreatResponse | By: Cortex XSOAR |
| Stealthwatch_Cloud | By: Cortex XSOAR |
| Rapid7_Nexpose | By: Cortex XSOAR |
| Cisco-umbrella | By: Cortex XSOAR |
| F5Silverline | By: Cortex XSOAR |
| Lastline | By: Cortex XSOAR |
| Okta | By: Cortex XSOAR |
| SNDBOX | By: Cortex XSOAR |
| Cybereason | By: Cortex XSOAR |
| Symantec_Messaging_Gateway | By: Cortex XSOAR |
| ExtraHop | By: Partner |
| CortexXDR | By: Cortex XSOAR |
| ThreatGrid | By: Cortex XSOAR |
| Threat_Crowd | By: Cortex XSOAR |
| AgariPhishingDefense | By: Partner |
| QRadar | By: Cortex XSOAR |
| FireEyeHX | By: Cortex XSOAR |
| Traps | By: Cortex XSOAR |
| CrowdStrikeFalconX | By: Cortex XSOAR |
| CiscoASA | By: Cortex XSOAR |
| VulnDB | By: Cortex XSOAR |
| AWS-IAM | By: Cortex XSOAR |
| SplunkPy | By: Cortex XSOAR |
| Code42 | By: Partner |
| CiscoFirepower | By: Cortex XSOAR |
| TrendMicroApex | By: Cortex XSOAR |
| RiskSense | By: Partner |
| PaloAltoNetworks_PAN_OS_EDL_Management | By: Cortex XSOAR |
| Carbon_Black_Enterprise_Response | By: Cortex XSOAR |
| FireEyeEX | By: Cortex XSOAR |
| SophosXGFirewall | By: Cortex XSOAR |
| Palo_Alto_Networks_WildFire | By: Cortex XSOAR |
| CuckooSandbox | By: Cortex XSOAR |
| Polygon | By: Partner |
| Gmail | By: Cortex XSOAR |
| Cylance_Protect | By: Cortex XSOAR |
| D2 | By: Cortex XSOAR |
| Phishing | By: Cortex XSOAR |
| ANYRUN | By: Cortex XSOAR |
| SignalSciences | By: Cortex XSOAR |
| McAfee_Advanced_Threat_Defense | By: Cortex XSOAR |
| IllusiveNetworks | By: Partner |
| ThreatX | By: Cortex XSOAR |
| Mimecast | By: Cortex XSOAR |
| epo | By: Cortex XSOAR |
| ProofpointServerProtection | By: Cortex XSOAR |
| PANWComprehensiveInvestigation | By: Cortex XSOAR |
| fireeye | By: Cortex XSOAR |
2.2.0 - 2963854 (May 22, 2022)
Playbooks
New: Dedup - Generic v4
This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script).
In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database (available from Cortex XSOAR 6.2.0).
Note:
To identify similar incidents you must properly define the playbook inputs.
2.1.22 - 2943817 (May 18, 2022)
Playbooks
Unisolate Endpoint - Generic
Added support for the Microsoft Defender For Endpoint integration.
Isolate Endpoint - Generic V2
Added support for the Microsoft Defender For Endpoint integration.
2.1.21 - R2888155 (May 8, 2022)
Playbooks
Search And Delete Emails - Generic v2
Fixed an issue where the O365AllowNotFoundExchangeLocations playbook input did not work as expected.
2.1.20 - 2784849 (April 19, 2022)
Playbooks
Containment Plan
- Added isIntegrationEnabled validation for AD.
- Fixes the HostContainment input.
Endpoint Investigation Plan
- Fixes Lucene query.
- Changes the default time range input to 2 hours.
File Reputation
- Added validation which checks for VirusTotal results.
Eradication Plan
- Added isIntegrationEnabled validation for AD.
Enrichment for Verdict
- Added exclusion for internal IPs verdict.
2.1.19 - 2772048 (April 17, 2022)
Playbooks
New: Command-Line Analysis
- This playbook takes the command line from the alert and performs the following actions:
- Checks and decodes base64
- Extracts and enriches indicators from the command line
- Checks specific arguments for malicious usage
At the end of the playbook, it sets a possible verdict for the command line, based on the finding. (Available from Cortex XSOAR 6.0.0).
2.1.18 - 2750927 (April 13, 2022)
Playbooks
Threat Hunting - Generic
- The new playbook Microsoft 365 Defender - Emails Indicators Hunt was added as a sub-playbook. This sub-playbook retrieves relevant email data based on the given indicators. (Available from Cortex XSOAR v6.2.0)
2.1.17 - 2674843 (March 30, 2022)
Playbooks
Containment Plan
- Fixes the Block Indicators flow
2.1.16 - 2641705 (March 24, 2022)
Playbooks
New: Enrichment for Verdict
This playbook performs enrichment on different IOC types, and returns the information needed to establish the alert's verdict.
New: Handle False Positive Alerts
This playbook handles false positive alerts.
New: File Reputation
This playbook checks the file reputation and sets the verdict as a new context key.
2.1.15 - 2624637 (March 22, 2022)
Playbooks
New: Recovery Plan
This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks:
- Unisolate endpoint
- Restore quarantined file
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
New: Endpoint Investigation Plan
This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:
- Pre-defined MITRE Tactics
- Host fields (Host ID)
- Attacker fields (Attacker IP, External host)
- MITRE techniques
- File hash (currently, the playbook supports only SHA256)
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
New: Eradication Plan
This playbook handles all the eradication actions available with Cortex XSIAM, including the following tasks:
- Reset user password
- Delete file
- Kill process (currently, the playbook supports terminating a process by name)
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
New: Containment Plan
This playbook handles all the incident containment actions available with Cortex XSIAM, including the following tasks:
- Isolate endpoint
- Disable account
- Quarantine file
- Block indicators (currently, the playbook supports only hashes)
- Clear user session (currently, the playbook supports only Okta)
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Search And Delete Emails - Generic v2
Fixed an issue where the O365 - Security And Compliance - Search And Delete playbook always searched through all the mailboxes even if there was a different value in the O365ExchangeLocation playbook input.
2.1.13 - 2411339 (February 14, 2022)
Playbooks
Isolate Endpoint - Generic
- Maintenance and stability enhancements.
2.1.12 - 2400513 (February 11, 2022)
Playbooks
Email Address Enrichment - Generic v2.1
Fixed an issue where email addresses were being passed as a string and not as an array in the Get email address info from Active Directory task.
Endpoint Enrichment - Generic v2.1
- Maintenance and stability enhancements.
2.1.10 - 2312280 (January 26, 2022)
Playbooks
Block IP - Generic v3
- Maintenance and stability enhancements.
2.1.9 - 2275899 (January 19, 2022)
Playbooks
Email Address Enrichment - Generic v2.1
Fixed a bug that that caused the email domain-squatting check to produce incorrect results.
2.1.8 - 2244042 (January 12, 2022)
Playbooks
Extract Indicators From File - Generic v2
- Added a task for setting a context key that holds the extracted URLs.
- Added the ExtractedURLsFromFiles playbook output - The list of URLs that were extracted from the file. This output is a duplicate of the URL.Data output and it enables parent playbooks to identify the URLs generated by this playbook.
2.1.7 - R2238421 (January 11, 2022)
Playbooks
Endpoint Enrichment - Generic v2.1
Change the playbook flow to use the McAfee ePO v2 integration if it is installed and configured.
Search And Delete Emails - Generic v2
Fixed the issue in the In what integration should emails be searched and deleted? conditional task where the conditions for o365 and EWS lacked an input validation check.
Detonate URL - Generic
Changed the sub-playbook "URL" input to "inputs.URL" to enable using the playbook input "URL" in the sub-playbooks.
Extract Indicators From File - Generic v2
Ignore p7m files in the Is there a text-based file? task.
2.1.5 - R2146019 (December 21, 2021)
Playbooks
Threat Hunting - Generic
- Added inputs for Splunk and QRadar time frame search.
New: Get Email From Email Gateway - Generic
- This playbook retrieves a specified EML/MSG file directly from the email security gateway product. (Available from Cortex XSOAR 6.0.0).
New: Email Headers Check - Generic
- This playbook executes one sub-playbook and one automation to check the email headers:
- Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
- CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM. (Available from Cortex XSOAR 6.0.0).
New: Search And Delete Emails - Generic v2
- This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365. * Gmail * Agari Phishing Defense (Available from Cortex XSOAR 6.0.0).
2.1.4 - 2067649 (December 7, 2021)
Playbooks
Block IP - Generic v3
- Fixed sub-playbook issue (Cisco Firepower related)
2.1.3 - 2042391 (December 2, 2021)
Playbooks
Block IP - Generic v3
- Documentation fixes
Block IP - Generic v2
- Documentation fixes
Block URL - Generic
- Documentation fixes
Block Indicators - Generic v2
- Documentation fixes
Endpoint Enrichment - Generic v2.1
- Documentation fixes
2.1.2 - 1993458 (November 22, 2021)
Playbooks
Block IP - Generic v3
- Fixed the !CreateNewIndicator command and added the "IP" indicator type to better define the indicator to be enriched.
2.1.1 - 1947770 (November 14, 2021)
Playbooks
Detonate File - Generic
- Fixed an issue where the context outputs of the Detonate File - VMRay playbook were missing.
2.1.0 - 1938694 (November 12, 2021)
Playbooks
New: Block IP - Generic v3
- This playbook blocks malicious IPs using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing).
Note the following: - Some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects.
- The appended network objects should be specified in the blocking rules inside the system later on.
Supported integrations for this playbook [Network security products such as FW/WAF/IPS/Etc]:
Check Point Firewall
Palo Alto Networks PAN-OS
Zscaler
FortiGate
Aria Packet Intelligence
Cisco Firepower
Cisco Secure Cloud Analytics
Cisco ASA
Akamai WAF
F5 SilverLine
ThreatX
Signal Sciences WAF
Sophos Firewall
(Available from Cortex XSOAR 6.0.0).
2.0.7 - 1850580 (October 26, 2021)
Playbooks
Calculate Severity By Highest DBotScore
- Updated playbook to use the GetIndicatorDBotScoreFromCache command to take into consideration the reliability parameter. The fix is relevant for version 6.0 and above.
2.0.6 - 7772209 (September 25, 2021)
Playbooks
New: Extract Indicators From File - Generic v2
- Added the pdf files preview as image step to the playbook.
2.0.5 - 7640590 (September 16, 2021)
Playbooks
New: Block Domain - Generic
- This playbook blocks malicious Domains using all integrations that are enabled.
Supported integrations for this playbook:
- Zscaler
- Symantec Messaging Gateway
- FireEye EX
- Trend Micro Apex One
- Proofpoint Threat Response (Available from Cortex XSOAR 5.5.0).
Block Indicators - Generic v2
- Added Block Domain - Generic
- Fixed playbook description
2.0.4 - 7391875 (September 1, 2021)
Playbooks
Extract Indicators From File - Generic v2
Added a condition to the Is there a text-based file task to verify that the string 'message/rfc822' is not contained within File.Info.
2.0.3 - 7342366 (August 29, 2021)
Playbooks
Get endpoint details - Generic
Fixed the "Is the endpoint IP provided?" conditional task where the task had no path if the IP address was not provided.
2.0.2 - 415523 (August 23, 2021)
Playbooks
Calculate Severity - Generic v2
- Adding calculation for Anti-Spam score values inside Microsoft headers (PCL, BCL and SCL).
2.0.1 - 414184 (August 20, 2021)
Playbooks
Email Address Enrichment - Generic v2.1
- Fixed an issue where inputs of the wrong type were given to the Check email addresses for domain-squatting task.
2.0.0 - 406668 (August 5, 2021)
Playbooks
New: Search And Delete Emails - Generic v2
Added the O365 - Security And Compliance - Search And Delete sub-playbook to search and delete emails using the O365 - Security And Compliance - Content Search integration. Searching and deleting using O365 allows you to search through a single or multiple mailboxes (Available from Cortex XSOAR 5.5.0).
1.9.10 - 397182 (July 13, 2021)
Playbooks
Extract Indicators From File - Generic v2 - Test
- Fixed an issue where the playbook would not extract indicators from files of type message/rfc822.
1.9.9 - 392500 (July 4, 2021)
Playbooks
CVE Enrichment - Generic v2
Maintenance and stability enhancements
1.9.8 - 390826 (June 29, 2021)
Playbooks
New: Retrieve File from Endpoint - Generic V3
- 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
- Get File Sample From Path - Generic v3.
- Get File Sample By Hash - Generic v3. (Available from Cortex XSOAR 6.0.0).
New: Get File Sample From Path - Generic V3
- This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - Powershell Remoting.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
(Available from Cortex XSOAR 6.0.0).
1.9.7 - 372302 (May 31, 2021)
Playbooks
Unisolate Endpoint - Generic
- Added a task that checks if the endpoint is online.
New: Get endpoint details - Generic
- This playbook use the generic command !endpoint to retrieve details about a specific endpoint.
This command currently supports the following integrations: - Palo Alto Networks Cortex XDR - Investigation and Response.
- CrowdStrike Falcon. (Available from Cortex XSOAR 5.5.0).
New: Block Email - Generic
This playbook will block emails at your mail relay integration. (Available from Cortex XSOAR 5.5.0).
New: Get host forensics - Generic
- This playbook retrieves forensics from hosts.
The available integration is Illusive networks. (Available from Cortex XSOAR 5.5.0).
New: Threat Hunting - Generic
- This playbook enables threat hunting for IOCs in your enterprise.
This playbook currently supports the following integrations: - Splunk
- Qradar
- Pan-os
- Cortex data lake
- Autofocus (Available from Cortex XSOAR 5.5.0).
Block Indicators - Generic v2
Added Block Email - Generic playbook.
New: Isolate Endpoint - Generic V2
This playbook isolates a given endpoint via various endpoint product integrations.
Make sure to provide the valid playbook input for the integration that you are using. (Available from Cortex XSOAR 5.5.0).
1.9.6 - 356061 (May 13, 2021)
Playbooks
Dedup - Generic v2
Playbook was updated with the "deprecated" field.
1.9.5 - 351790 (May 10, 2021)
Playbooks
Extract Indicators From File - Generic v2
- Fixed an issue where the playbook was failing when running on .xlsb files.
1.9.4 - 341456 (May 1, 2021)
Playbooks
Dedup - Generic v2
- Maintenance and stability enhancements.
Get File Sample From Path - Generic V2
- Maintenance and stability enhancements.
Get File Sample By Hash - Generic v3
- Maintenance and stability enhancements.
1.9.3 - 334155 (April 22, 2021)
Playbooks
Detonate File - Generic
- Fixed an issue where the playbook context outputs had duplicate values.
1.9.2 - 325844 (April 11, 2021)
Playbooks
New: Unisolate Endpoint - Generic
This playbook unisolates endpoints according to the endpoint ID or hostname that is provided by the playbook input.
It currently supports the following integrations:
- Carbon Black Response
- Cortex XDR
- Crowdstrike Falcon
- FireEye HX
- Cybereason
(Available from Cortex XSOAR 5.5.0).
1.9.1 - 323432 (April 8, 2021)
Playbooks
Block File - Generic v2
- Added "Skip this branch if this automation/playbook is unavailable" option to Cortex XDR - Block File sub-playbook.
1.9.0 - 298349 (March 8, 2021)
Playbooks
Get File Sample By Hash - Generic v3
- Added the Code42 File Download as a subplaybook to retrieve files using the Code42 integration.
- Fixed an issue that caused an error in the playbook when one of the subplaybooks was not available.
Get File Sample From Path - Generic V2
- Fixed an issue that caused an error in the playbook when one of the subplaybooks was not available.
1.8.12 - 282915 (February 17, 2021)
Playbooks
New: Context Polling - Generic
This playbook polls a context key to check if a specific value exists.
1.8.11 - 269341 (February 2, 2021)
Playbooks
Block File - Generic v2
Added Cortex XDR sub-playbook Cortex XDR - Block File
1.8.10 - R264879 (January 27, 2021)
Playbooks
Dedup - Generic v3
- Fixed an issue where the playbook did not ignore closed incidents when it attempted to find duplicate incidents.
1.8.9 - R254077 (January 17, 2021)
Playbooks
Detonate File - Generic
- Fixed an issue where two tasks overlapped in the playbook's overview.
- Added Detonate File - Group-IB TDS Polygon as a sub-playbook.
- Added Detonate File - CrowdStrike Falcon X as a sub-playbook.
1.8.8 - 235964 (December 28, 2020)
Playbooks
New: Get File Sample By Hash - Generic v3
- This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:
- Get binary file by MD5 hash from Carbon Black telemetry data. - VMware Carbon Black EDR v2.
- Get the threat (file) attached to a specific SHA256 hash- Cylance Protect v2.
- Added file outputs to the playbook.
New: Retrieve File from Endpoint - Generic V2
- This playbook retrieves a file sample from an endpoint using the following playbooks:
- Get File Sample From Path - Generic v2.
- Get File Sample By Hash - Generic v3.
New: Get File Sample From Path - Generic V2
- This playbook returns a file sample correlating to a path into the war-room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
1.8.7 - 228403 (December 21, 2020)
Playbooks
CVE Enrichment - Generic v2
- Fixed bugs related to playbook inputs and commands used.
New: Search Endpoint by CVE - Generic
- Hunt for assets with a given CVE using available tools.
1.8.6 - 223270 (December 16, 2020)
Playbooks
Dedup - Generic v2
- Deprecated. Use the Dedup Generic v3 playbook instead.
##### Dedup - Generic v3
- The new version of the Dedup playbook, which includes a new machine learning script, PhishingDedupPreprocessingRule that identifies duplicate Phishing incidents.
1.8.5 - R202407 (November 26, 2020)
Common Playbooks
- Documentation and metadata improvements.
1.8.4 - 149745 (October 18, 2020)
Playbooks
Email Address Enrichment - Generic v2.1
Fixed an issue where emails were not checked for domain-squatting due to the WhereFieldEquals transformer not working as expected.
1.8.3 - 149109 (October 18, 2020)
Playbooks
Isolate Endpoint - Generic
- Fixed bugs regarding sub-playbook inputs.
- Added playbook outputs indicating isolation state.
1.8.2 - R132310 (October 1, 2020)
Playbooks
New: Field Polling - Generic
This playbook polls a field to check if a specific value exists.
1.8.1 - 126669 (September 26, 2020)
Playbooks
Email Address Enrichment - Generic v2.1
Fixed an issue where no results returned when multiple internal email addresses were provided.
1.8.0 - R124496 (September 23, 2020)
Playbooks
Detonate File - Generic
- Fixed a bug where a change in the inputs of Detonate File - ThreatGrid did not populate into Detonate File - Generic playbook. Detonate File - ThreatGrid will now submit private samples by default.
1.7.1 - 93993 (August 24, 2020)
Playbooks
Extract Indicators From File - Generic v2
- Added support for UTF-8 Unicode text files.
1.7.0 - R89444 (August 17, 2020)