Common Playbooks

Details
Content
Version History

Frequently used playbooks pack.

PUBLISHER

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex XSOAR
Created	August 17, 2020
Last Release	September 25, 2021

WORKS WITH THE FOLLOWING INTEGRATIONS:

O365 - EWS - Extension Online Powershell v2

O365 - Security And Compliance - Content Search

O365 - Security And Compliance - Content Search (beta)

Palo Alto Networks Cortex XDR - Investigation and Response

VMware Carbon Black EDR (Live Response API)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Playbooks

Name	Description
Convert file hash to corresponding hashes	The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations.
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. This playbook currently supports the following integrations: Splunk Qradar Pan-os Cortex data lake Autofocus
Block Account - Generic	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher.
IP Enrichment - Internal - Generic v2	Enrich Internal IP addresses using one or more integrations. Resolve IP address to hostname (DNS) Separate internal and external IP addresses Get host information for IP addresses
URL Enrichment - Generic v2	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs Threat information Providing of URL screenshots
Extract Indicators From File - Generic v2	Extracts indicators from a file. Supported file types: CSV PDF TXT HTM, HTML DOC, DOCX PPT PPTX RTF XLS XLSX XML
IP Enrichment - External - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Separate internal and external addresses
Get File Sample From Path - Generic V3	This playbook returns a file sample from a specified path and host that you input in the following playbooks: 1) PS Remote Get File Sample From Path. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Entity Enrichment - Generic v3	Enrich entities using one or more integrations.
Search Endpoints By Hash - Generic V2	Hunt using available tools
Isolate Endpoint - Generic V2	This playbook isolates a given endpoint via various endpoint product integrations. Make sure to provide the valid playbook input for the integration you are using.
Block URL - Generic	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler
Get File Sample By Hash - Generic v3	This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. Get the threat (file) attached to a specific SHA256 hash - Cylance Protect v2.
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: Active Directory
Get File Sample From Path - Generic	Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Calculate Severity - Indicators DBotScore	Calculates the incident severity level according to the highest indicator DBotScore.
Email Address Enrichment - Generic v2.1	Enrich email addresses. Get information from Active Directory for internal addresses Get the domain-squatting reputation for external addresses
Wait Until Datetime	Pauses execution until the date and time that was specified in the plabyook input is reached.
Calculate Severity By Highest DBotScore	Calculates the incident severity level according to the highest indicator DBotScore.
Get File Sample From Path - Generic V2	This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Calculate Severity - 3rd-party integrations	Calculates the incident severity level according to the methodology of a 3rd-party integration.
Field Polling - Generic	This playbook polls a field to check if a specific value exists.
Block IP - Generic v2	This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler FortiGate
Calculate Severity - Standard	Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
Get File Sample By Hash - Generic v2	This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: Get File Sample By Hash - Carbon Black Enterprise Response Get File Sample By Hash - Cylance Protect v2
Context Polling - Generic	This playbook polls a context key to check if a specific value exists.
GenericPolling	Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: Initiate the operation. Poll to check if the operation completed. (optional) Get the results of the operation.
Get host forensics - Generic	This playbook retrieves forensics from hosts. The available integration: Illusive networks.
Dedup - Generic v3	This playbook identifies duplicate incidents using one of the supported methods. Select one of the following methods to identify duplicate incidents in Cortex XSOAR. ml: Machine learning model, which is trained mostly on phishing incidents. -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing incidents. For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.
Endpoint Enrichment - Generic v2.1	Enrich an endpoint by hostname using one or more integrations. Supported integrations: Active Directory Query v2 McAfee ePolicy Orchestrator Carbon Black Enterprise Response v2 Cylance Protect v2 CrowdStrike Falcon Host ExtraHop Reveal(x)
Unisolate Endpoint - Generic	This playbook unisolates endpoints according to the endpoint ID or hostname that is provided in the playbook. Currently supports the following integrations: Carbon Black Response Cortex XDR Crowdstrike Falcon FireEye HX Cybereason
Domain Enrichment - Generic v2	Enrich domains using one or more integrations. Domain enrichment includes: Threat information
DBot Indicator Enrichment - Generic	Get indicators internal Dbot score
File Enrichment - Generic v2	Enrich a file using one or more integrations. Provide threat information
Search And Delete Emails - Generic v2	This playbook searches and delete emails with similar attributes of a malicious email using EWS or Office 365.
Entity Enrichment - Generic v2	Enrich entities using one or more integrations
Search And Delete Emails - Generic	This playbook searches and delete emails with similar attributes of a malicious email.
CVE Enrichment - Generic v2	This playbook performs CVE Enrichment using the following integrations: VulnDB CVE Search IBM X-Force Exchange
File Enrichment - File reputation	Get file reputation using one or more integrations
Search Endpoint by CVE - Generic	Hunt for assets with a given CVE using available tools
Block Domain - Generic	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response
Block Indicators - Generic v2	This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic Block Account - Generic Block IP - Generic v2 Block File - Generic v2 Block Email - Generic Block Domain - Generic
Get Original Email - Generic	Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. You must have the necessary permissions in your email service to execute global search. EWS: eDiscovery Gmail: Google Apps Domain-Wide Delegation of Authority
IP Enrichment - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Separate internal and external IP addresses For internal IP addresses, get host information
Retrieve File from Endpoint - Generic V3	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Block File - Generic v2	This playbook is used to block files from running on endpoints. This playbook supports the following integrations: Palo Alto Networks Traps Palo Alto Networks Cortex XDR Cybereason Carbon Black Enterprise Response Cylance Protect v2
Calculate Severity - Generic v2	Calculate and assign the incident severity based on the highest returned severity level from the following calculations: DBotScores of indicators Critical assets Email authenticity Current incident severity Microsoft Headers
Send Investigation Summary Reports Job	You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.
Detonate URL - Generic	Detonate URL through active integrations that support URL detonation
Block Email - Generic	This playbook will block emails at your mail relay integration.
Send Investigation Summary Reports	This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.
Retrieve File from Endpoint - Generic V2	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Detonate File - Generic	Detonate file through active integrations that support file detonation
Retrieve File from Endpoint - Generic	This playbook retrieves a file sample from an endpoint using the following playbooks: Get File Sample From Path - Generic Get File Sample By Hash - Generic v2
Isolate Endpoint - Generic	This playbook isolates a given endpoint using the following integrations: Carbon Black Enterprise Response Palo Alto Networks Traps
Calculate Severity - Critical Assets v2	Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups.
Dedup - Generic v2	Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Get endpoint details - Generic	This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: Palo Alto Networks Cortex XDR - Investigation and Response. CrowdStrike Falcon.

2.0.6 - 7772209 (September 25, 2021)

Playbooks

New: Extract Indicators From File - Generic v2

Added the pdf files preview as image step to the playbook.

2.0.5 - 7640590 (September 16, 2021)

Playbooks

New: Block Domain - Generic

This playbook blocks malicious Domains using all integrations that are enabled.

Supported integrations for this playbook:

Zscaler
Symantec Messaging Gateway
FireEye EX
Trend Micro Apex One
Proofpoint Threat Response (Available from Cortex XSOAR 5.5.0).

Block Indicators - Generic v2

Added Block Domain - Generic
Fixed playbook description

2.0.4 - 7391875 (September 1, 2021)

Playbooks

Extract Indicators From File - Generic v2

Added a condition to the Is there a text-based file task to verify that the string 'message/rfc822' is not contained within File.Info.

2.0.3 - 7342366 (August 29, 2021)

Playbooks

Get endpoint details - Generic

Fixed the "Is the endpoint IP provided?" conditional task where the task had no path if the IP address was not provided.

2.0.2 - 415523 (August 23, 2021)

Playbooks

Calculate Severity - Generic v2

Adding calculation for Anti-Spam score values inside Microsoft headers (PCL, BCL and SCL).

2.0.1 - 414184 (August 20, 2021)

Playbooks

Email Address Enrichment - Generic v2.1

Fixed an issue where inputs of the wrong type were given to the Check email addresses for domain-squatting task.

2.0.0 - 406668 (August 5, 2021)

Playbooks

New: Search And Delete Emails - Generic v2

Added the O365 - Security And Compliance - Search And Delete sub-playbook to search and delete emails using the O365 - Security And Compliance - Content Search integration. Searching and deleting using O365 allows you to search through a single or multiple mailboxes (Available from Cortex XSOAR 5.5.0).

1.9.10 - 397182 (July 13, 2021)

Playbooks

Extract Indicators From File - Generic v2 - Test

Fixed an issue where the playbook would not extract indicators from files of type message/rfc822.

1.9.9 - 392500 (July 4, 2021)

Playbooks

CVE Enrichment - Generic v2

Maintenance and stability enhancements

1.9.8 - 390826 (June 29, 2021)

Playbooks

New: Retrieve File from Endpoint - Generic V3

'This playbook retrieves a file sample from an endpoint using the following playbooks:'
Get File Sample From Path - Generic v3.
Get File Sample By Hash - Generic v3. (Available from Cortex XSOAR 6.0.0).

New: Get File Sample From Path - Generic V3

This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - Powershell Remoting.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
(Available from Cortex XSOAR 6.0.0).

1.9.7 - 372302 (May 31, 2021)

Playbooks

Unisolate Endpoint - Generic

Added a task that checks if the endpoint is online.

New: Get endpoint details - Generic

This playbook use the generic command !endpoint to retrieve details about a specific endpoint.
This command currently supports the following integrations:
Palo Alto Networks Cortex XDR - Investigation and Response.
CrowdStrike Falcon. (Available from Cortex XSOAR 5.5.0).

New: Block Email - Generic

This playbook will block emails at your mail relay integration. (Available from Cortex XSOAR 5.5.0).

New: Get host forensics - Generic

This playbook retrieves forensics from hosts.
The available integration is Illusive networks. (Available from Cortex XSOAR 5.5.0).

New: Threat Hunting - Generic

This playbook enables threat hunting for IOCs in your enterprise.
This playbook currently supports the following integrations:
Splunk
Qradar
Pan-os
Cortex data lake
Autofocus (Available from Cortex XSOAR 5.5.0).

Block Indicators - Generic v2

Added Block Email - Generic playbook.

New: Isolate Endpoint - Generic V2

This playbook isolates a given endpoint via various endpoint product integrations.
Make sure to provide the valid playbook input for the integration that you are using. (Available from Cortex XSOAR 5.5.0).

1.9.6 - 356061 (May 13, 2021)

Playbooks

Dedup - Generic v2

Playbook was updated with the "deprecated" field.

1.9.5 - 351790 (May 10, 2021)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the playbook was failing when running on .xlsb files.

1.9.4 - 341456 (May 1, 2021)

Playbooks

Dedup - Generic v2

Maintenance and stability enhancements.

Get File Sample From Path - Generic V2

Maintenance and stability enhancements.

Get File Sample By Hash - Generic v3

Maintenance and stability enhancements.

1.9.3 - 334155 (April 22, 2021)

Playbooks

Detonate File - Generic

Fixed an issue where the playbook context outputs had duplicate values.

1.9.2 - 325844 (April 11, 2021)

Playbooks

New: Unisolate Endpoint - Generic

This playbook unisolates endpoints according to the endpoint ID or hostname that is provided by the playbook input.
It currently supports the following integrations:

Carbon Black Response
Cortex XDR
Crowdstrike Falcon
FireEye HX
Cybereason
(Available from Cortex XSOAR 5.5.0).

1.9.1 - 323432 (April 8, 2021)

Playbooks

Block File - Generic v2

Added "Skip this branch if this automation/playbook is unavailable" option to Cortex XDR - Block File sub-playbook.

1.9.0 - 298349 (March 8, 2021)

Playbooks

Get File Sample By Hash - Generic v3

Added the Code42 File Download as a subplaybook to retrieve files using the Code42 integration.
Fixed an issue that caused an error in the playbook when one of the subplaybooks was not available.

Get File Sample From Path - Generic V2

Fixed an issue that caused an error in the playbook when one of the subplaybooks was not available.

1.8.12 - 282915 (February 17, 2021)

Playbooks

New: Context Polling - Generic

This playbook polls a context key to check if a specific value exists.

1.8.11 - 269341 (February 2, 2021)

Playbooks

Block File - Generic v2

Added Cortex XDR sub-playbook Cortex XDR - Block File

1.8.10 - R264879 (January 27, 2021)

Playbooks

Dedup - Generic v3

Fixed an issue where the playbook did not ignore closed incidents when it attempted to find duplicate incidents.

1.8.9 - R254077 (January 17, 2021)

Playbooks

Detonate File - Generic

Fixed an issue where two tasks overlapped in the playbook's overview.
Added Detonate File - Group-IB TDS Polygon as a sub-playbook.
Added Detonate File - CrowdStrike Falcon X as a sub-playbook.

1.8.8 - 235964 (December 28, 2020)

Playbooks

New: Get File Sample By Hash - Generic v3

This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:
Get binary file by MD5 hash from Carbon Black telemetry data. - VMware Carbon Black EDR v2.
Get the threat (file) attached to a specific SHA256 hash- Cylance Protect v2.
Added file outputs to the playbook.

New: Retrieve File from Endpoint - Generic V2

This playbook retrieves a file sample from an endpoint using the following playbooks:
Get File Sample From Path - Generic v2.
Get File Sample By Hash - Generic v3.

New: Get File Sample From Path - Generic V2

This playbook returns a file sample correlating to a path into the war-room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).

1.8.7 - 228403 (December 21, 2020)

Playbooks

CVE Enrichment - Generic v2

Fixed bugs related to playbook inputs and commands used.

New: Search Endpoint by CVE - Generic

Hunt for assets with a given CVE using available tools.

1.8.6 - 223270 (December 16, 2020)

Playbooks

Dedup - Generic v2
- Deprecated. Use the Dedup Generic v3 playbook instead.
##### Dedup - Generic v3
- The new version of the Dedup playbook, which includes a new machine learning script, PhishingDedupPreprocessingRule that identifies duplicate Phishing incidents.

1.8.5 - R202407 (November 26, 2020)

Documentation and metadata improvements.

1.8.4 - 149745 (October 18, 2020)

Playbooks

Email Address Enrichment - Generic v2.1

Fixed an issue where emails were not checked for domain-squatting due to the WhereFieldEquals transformer not working as expected.

1.8.3 - 149109 (October 18, 2020)

Playbooks

Isolate Endpoint - Generic

Fixed bugs regarding sub-playbook inputs.
Added playbook outputs indicating isolation state.

1.8.2 - R132310 (October 1, 2020)

Playbooks

New: Field Polling - Generic

This playbook polls a field to check if a specific value exists.

1.8.1 - 126669 (September 26, 2020)

Playbooks

Email Address Enrichment - Generic v2.1

Fixed an issue where no results returned when multiple internal email addresses were provided.

1.8.0 - R124496 (September 23, 2020)

Playbooks

Detonate File - Generic

Fixed a bug where a change in the inputs of Detonate File - ThreatGrid did not populate into Detonate File - Generic playbook. Detonate File - ThreatGrid will now submit private samples by default.

1.7.1 - 93993 (August 24, 2020)

Playbooks

Extract Indicators From File - Generic v2

Added support for UTF-8 Unicode text files.

1.7.0 - R89444 (August 17, 2020)