Deprecated. We recommend using AlienVault OTX v2 instead. Query IOCs in AlienVault

Deprecated. ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).

Deprecated. Search CVE Information - powered by circl.lu

Deprecated. Manage Endpoints using Cylance protect

Deprecated. Malware detection and analysis based on code reuse.

Deprecated. Use Kenna v2.

Deprecated. Use LockPath KeyLight v2.

Deprecated. Provides threat analysts and incident response teams with the advanced malware isolation and inspection environment, needed to safely execute advanced malware samples and understand their behavior.

Deprecated. Magnifier Behavioral Analytics empowers organizations to quickly find and stop the stealthiest network threats.

Deprecated. Malware Information Sharing Platform and Threat Sharing (This integration is deprecated, use MISP V2 instead)

Deprecated. Creates Access Key and Secret Key for Mimecast API

Deprecated. Mimecast unified email management offers cloud email services for email security, continuity and archiving emails

Deprecated. Exchange Web Services and Office 365 (mail)

Deprecated. Human-vetted, Phishing-specific Threat Intelligence from Phishme. Deprecated. Use the Cofense Intelligence integration instead.

Deprecated. Use The Generic SQL integration instead.

Deprecated. Proofpoint's Targeted Attack Protection (TAP) helps protect against and provide additional visibility into phishing and other malicious email attacks.

Deprecated. Use the Have I Been Pwned? V2 integration instead. Checks whether emails or domains have been compromised in recent breaches, using the Have I Been Pwned? service.

Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers.

Deprecated. use Shodan v2 instead. Search engine for Internet-connected devices.

Deprecated. Query the Symantec Endpoint Protection Manager using the official REST API- DEPRECATED. Please use Symantec Endpoint Protection V2 integration instead.

Deprecated. Perform malware dynamic analysis

Deprecated. AWS - amazon public cloud , EC2 service

Deprecated. Issue tracking product, developed by Atlassian

Deprecated. At the heart of the solution, the Metadefender multi-scanning engine uses 30+ anti-malware engines to scan files for threats, significantly increasing malware detection.

Deprecated. Secdo's automated incident response platform hunts threats in real time and delivers an endpoint detection and response solution.

Deprecated. Create and Manage Azure Virtual Machines

Deprecated. Unified security management and advanced threat protection across hybrid cloud workloads.

Deprecated. Analyzes suspicious domains and IP addresses

Deprecated. We recommend using ExtraHop Reveal(x) instead. ExtraHop performs real-time stream analysis of the packets that carry data across a network.

Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products

Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence.

Deprecated. Use the "Palo Alto Networks - Hunting And Threat Detection"\ \ playbook instead. Integrations list - Cortex (Traps, PAN-OS, Analytics)\nThis is a multipurpose\ \ playbook used for hunting and threat detection. The playbook receives inputs based\ \ on hashes, IP addresses, or domain names provided manually or from outputs by\ \ other playbooks. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. \nThe output provided\ \ by the playbook facilitates pivoting searches for possibly affected hosts, IP\ \ addresses, or users.

Deprecated. Use the "Palo Alto Networks - Endpoint Malware Investigation v3"\ \ playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\ \ generated by Traps. The playbook performs host enrichment for the source host\ \ with Palo Alto Networks Traps, enriches information for the suspicious file with\ \ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\ \ for the extracted file. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. \nThe analyst can\ \ perform a manual memory dump for the suspected endpoint based on the incident’s\ \ severity, and choose to isolate the source endpoint with Traps.\nHunting tasks\ \ to find more endpoints that are infected is performed automatically based on a\ \ playbook input, and after all infected endpoints are found, remediation for all\ \ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\ \ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\ \ Custom URL Categories.\nAfter the investigation review the incident is automatically\ \ closed.

Deprecated. Use the "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich the accounts under the Account context key with details from relevant integrations such as AD.

Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich Accounts using one or more integrations

Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich accounts using one or more integrations. Supported integrations - - Active Directory

Deprecated. Add indicators to the relevant Miner using MineMeld.

Deprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response.

Deprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled.

Supported integrations for this playbook:

• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks Panorama
• Zscaler

Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead.
This playbook blocks malicious indicators using all integrations that are enabled.

Supported integrations for this playbook:

• Active Directory
• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks Panorama
• Zscaler
• Carbon Black Enterprise Response

Deprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications.

Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group.

Deprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations:

• Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.
• Critical assets - Determines if a critical assest is associated with the invesigation.
• 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.

NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.

Deprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black

Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP.

Deprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found.

Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Create a phishing classifier using machine learning technique, based on email content

Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found.

Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation.

Deprecated. Use "Dedup - Generic v2" playbook instead. This playbook identifies duplicate incidents using one of the supported methods.

Deprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.

Deprecated. Use "Domain Enrichment - Generic v2" playbook instead. Enrich Domain using one or more integrations.
Domain enrichment includes:

• Domain reputation
• Threat information

Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Get email address reputation using one or more integrations

Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Enrich email addresses. Email address enrichment involves:

• Getting information from Active Directory for internal addresses
• Getting the domain-squatting reputation for external addresses

Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an Endpoint Hostname using one or more integrations

Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an endpoint by hostname using one or more integrations.
Currently, the following integrations are supported:

• Active Directory
• McAfee ePolicy Orchestrator
• Carbon Black Enterprise Response
• Cylance Protect
• CrowdStrike Falcon Host

Deprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available.

Deprecated. Use "Enrich DXL with ATD verdict v2" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL.
Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.

Deprecated. Use "Enrich McAfee DXL using 3rd party sandbox v2" playbook instead. Example of bridging DXL to a third party sandbox.
Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.

Deprecated. We recommend using Entity Enrichment - Generic playbook instead. Enrich data with reputation. Data is expected to be found in the standard locations like File, URL, IP.

Deprecated. Use "Entity Enrichment - Generic v3" playbook instead. Enrich entities using one or more integrations

Deprecated. Use the "ExtraHop - Ticket Tracking v2" playbook instead.\ \ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Deprecated. We recommend using extractIndicators command instead.
Extract indicators from input data.

Deprecated. Use the "Extract Indicators From File - Generic v2" playbook instead.\
\ Extracts indicators from a file.
Supported file types:

• PDF
• TXT
• HTM, HTML
• DOC, DOCX

Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.

Deprecated. Use the Failed Login - Slack v2 playbook instead.

Deprecated. Use "File Enrichment - Generic v2" playbook instead. Enrich a file using one or more integrations.

File enrichment includes:

• File history
• Threat information
• File reputation

Deprecated. Use "Get File Sample By Hash - Generic v2" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products

Deprecated. Use the "Get Mails By Folder Paths" playbook instead.

Deprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\ \ files using regular expressions and then hunts for hashes on endpoints in the organization\ \ using available tools.\nThe playbook supports multiple types of attachments. For\ \ the full supported attachments list, refer to \"Extract Indicators From\ \ File - Generic v2\".

Deprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools.

Deprecated. Enrich IP using one or more integrations.

IP enrichment includes:

• Resolve IP to Hostname (DNS)
• Threat information
• Separate internal and external addresses
• IP reputation
• For internal addresses, get host information

Deprecated. We recommend using Default playbook instead. Enrich data with reputation from the incident. Data is extracted to the standard locations like File, URL, IP.

Deprecated. Use "Endpoint Malware Investigation - Generic" playbook instead. Investigate a malware using one or more integrations

Deprecated. Verify file sample and hostname information for the "Malware Investigation - Generic" playbook.
If the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations

Deprecated. Use "McAfee ePO Endpoint Connectivity Diagnostics Playbook V2" playbook instead. Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.

Deprecated. Use "McAfee ePO Endpoint Compliance Playbook v2" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures

Deprecated. Use "McAfee ePO Repository Compliance Playbook v2" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).

Deprecated. Use "PAN-OS - Block IP and URL - External Dynamic List v2" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists.

Deprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.

Deprecated. Use "PAN-OS EDL Setup v3" playbook instead. Configures an external dynamic list in PAN-OS.
In the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.

Deprecated. Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead.

Deprecated. - Use PAN-OS Commit Configuration instead.\nIf specified as Panorama, will also push the Policies to the specified Device Group in the instance. (please use pan-os-commit-configuration instead)

Deprecated. Use "PAN-OS Query Logs For Indicators" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device.

Deprecated. We recommend using Phishing investigation - Generic playbook instead.
This is an automated playbook to investigate suspected Phishing attempts.
It picks up the required information from the incident metadata as created by the mail listener.
Labels:

• Email/from: Email address of the user targeted by the suspected phishing attempt, who reported the email by forwarding it
• Email: the to recipients
• Email/cc: the cc recipients
• Email/format: the format of the email - text / html / etc.
• Email/html: the html body
• Email/text: the text body
• Email/subject: subject of the email
• Email/attachments: list of attachments
• Email/headers: the headers for the email

Deprecated. Use "Phishing Investigation - Generic v2" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
The final remediation tasks are always decided by a human analyst.

Deprecated. We recommend using Process Email - Generic playbook instead. Add email details into the relevant context entities and handle the case where you have attached original emails.

Deprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields

Deprecated. Use the QRadar - Get offense correlations v2 instead.\"\nRun on a QRadar offense to get more information\n\n* Get all correlations relevant to the offense\n* Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n* GetCorrelationLogs (default - False)\n* MaxLogsCount (default - 20)

Deprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files.

Deprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black.

Deprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools

Deprecated. Use "URL Enrichment - Generic v2" playbook instead. Enrich URL using one or more integrations.

URL enrichment includes:

• Verify URL SSL
• Threat information
• URL reputaiton
• Take URL screenshot

Deprecated. Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.

Deprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.

Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook.

Deprecated. Use "Malware Investigation - Manual" playbook instead. Master playbook for investigating suspected malware presence on an endpoint.
Labels:

• System: the hostname for the endpoint being investigated

Deprecated. Expire the password of an Active Directory user.

Deprecated. Use Active Directory to retrieve the email address associated with all users.

Deprecated. Use Active Directory to get common groups between supplied users.

Deprecated. Use the ad-get-computer command in the Active Directory Query v2 instead.
Use Active Directory to retrieve detailed information about a computer account. The computer can be specified by name, email, or as an Active Directory Distinguished Name (DN).
If no filters are provided, the result will show all computers.

Deprecated. Use Active Directory to retrieve the groups in which the specified computer is a member. The member computer can be specified by name or by DN.

Deprecated. Use Active Directory to retrieve the email address associated with all users.

Deprecated. Use Active Directory to retrieve the email address associated with the specified user. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Use Active Directory to retrieve the list of computers that are members of the specified group. Group must be given by its AD Distinguished Name. The \"attributes\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\nExample usage - !ADGetGroupComputers groupdn=\"CN=ImportantComputers,DC=demisto,DC=com\" attributes=operatingsystem

Deprecated. Use Active Directory to retrieve the list of users or computers that are members of the specified group. Group must be given by its AD Distinguished Name. The attributes argument receives a comma-separated list of additional attributes you wish to be displayed in the results.nExample usage !ADGetGroupMembers memberType=user groupdn=CN=Administrators,CN=Builtin,DC=acme,DC=int attributes=name,email

Deprecated. Use Active Directory to retrieve the list of users who are members of the specified group. Group must be given by its AD Distinguished Name. The \"attributes\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\nExample usage !ADGetGroupUsers groupdn=CN=Domain Admins,CN=Users,DC=demisto,DC=com attributes=badPwdCount,memberOf

Deprecated. Use Active Directory to retrieve the groups in which the specified user is a member. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Use Active Directory to retrieve the user associated with the specified email address.

Deprecated. Use Active Directory to check if the specified user is a member of the specified group. Returns simply yes/no. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Retrieve the list of Computer objects stored in Active Directory. Use the attributes argument to include specific attributes in the results.

Deprecated. Retrieve the list of User objects stored in Active Directory. Use the "attributes" argument to include specific attributes in the results.

Deprecated. Retrieve the list of User objects stored in Active Directory and include an extended list of attributes and information about each user. Use the "attributes" argument to include additional specific attributes in the results.

Deprecated. Set a new password for an Active Directory user

Deprecated. Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Run Active Directory queries

Deprecated. Aggregating several context items for IOCs into a single list

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. Get AWS EC2 instance details

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. Get reputation for any hash or file in the incident details

Deprecated. Blocks IP in configured firewall

Deprecated. Search Carbon Black for connection to specified md5 hash(es).

Deprecated. use the cb-binary command and cb-get-processes command, instead.

Deprecated. Block one or more IP addresses using Checkpoint Firewall.

Deprecated. Connect to a checkpoint firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.

Deprecated. Delete access rule objects configured in Checkpoint FW.

Deprecated. Set attributes of an access rule object configured in Checkpoint FW.

Deprecated. Show items in an access rulebase configured in Checkpoint FW.

Deprecated. Connect to a checkpoint firewall appliance using SSH and retrieve status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.

Deprecated. Show host objects configured in Checkpoint FW.

Deprecated. Shows status of a checkpoint task by task uuid.

Deprecated. Query CrowdStrike actors based on given parameters. For fields like countries and industries, multiple values can be passed separated by ','.

Deprecated. List the number devices that match each IOC in query - limited to sha256, sha1, md5 and domain types

Deprecated. List devices that match a specific IOC - an IOC ran on them - limited to sha256, sha1, md5 and domain types

Deprecated. Query CrowdStrike indicators based on given parameters.

Deprecated. This script is deprecated. Use the Cylance integration instead.

Deprecated. Iterate on all file artifacts in the investigation and return details of positives

Deprecated. use "WildFire - Detonate File" playbook instead

Deprecated. Get reputation for IPs in the incident or given raw text

Deprecated. Check the URLs in the incident, or raw text provided as argument, for malicious URLs

Deprecated. Check whether the given item is in the whitelist

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Close an investigation

Deprecated. Common code that will be merged into each server integration when it runs

Deprecated. Common code that will be merged into each server integration when it runs

Deprecated. Display the incident details retrieved from Confer in a readable format

Deprecated. Set incident severity according to indicators found in an confer alert

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Evaluate reputation of a hash and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Evaluate reputation of an IP and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Evaluate reputation of a URL and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Classify an incident from mail.

Deprecated. Delete an incident from Demisto (note action is irreversible)

Deprecated. Check latest version of the DAT AV signature update.

Deprecated. Holds the logic to choose the ePO repositories to operate on when executing the containing playbook. In the simple default script provided, the instance name is picked manually.

Deprecated. List all configured instances of ePO integration.

Deprecated. Check a list of ePO servers to see if they are up to date.

Deprecated. Retrieve DAT version currently installed in the given ePO server

Deprecated. Trigger an ePO Client Task to update AV signatures for specific endpoints

Deprecated. Trigger a Server Task in specific ePO servers to pull latest signatures from update server

Deprecated. Use the Elasticsearch v2 integration instead.

Runs an Elasticsearch query and displays results in a table.

Deprecated. Use the Elasticsearch v2 integration instead.

Run a search query using Elasticsearch

Deprecated. Example of using McAfee ESM (Nitro) with advanced filters

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. Delete Mails with ID's under the context key "ExchangeItemIDs"

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. Search mails in Exchange Web Server

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. Retruns Demisto list

Deprecated. Returns all Demisto modules (integrations instances)

Deprecated. Returns Demisto users

Deprecated. We recommend using extractIndicators command instead. Extract Domains from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. Extract Domain from a URL. Domain will include sub-domain as well

Deprecated. We recommend using extractIndicators command instead. Extract Emails from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. We recommend using extractIndicators command instead. Extract md5, sha1, sha256 from the given text and place them both as output and in the context of a playbook

Deprecated. We recommend using extractIndicators command instead. Extract IPs from the given text and place them both as output and in the context of a playbook.

Deprecated. We recommend using extractIndicators command instead. Extract URLs from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. The script returns a value from context

Deprecated. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as - labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.

Deprecated. This script is deprecated. The demistobot endpoint is no longer supported.

Deprecated. Fetch info on specific user

Deprecated. Retrieves a list of all roleAssignments.

Deprecated. Gets the specified message.

Deprecated. Search the messages in the user's mailbox.

Deprecated. Retrieves a paginated list of either deleted users or all users in a domain

Deprecated. Deletes a role assignment.

Deprecated. Extract IPs from the given text and place them both as output and in the context of a playbook

Deprecated. Query ipinfo.io regarding an IP address. Returns a table, or if a specific field is selected, just the value for that field as a string.

Deprecated. Modify incident info such as name, owner, type, etc.

Deprecated. Inserts incident info and labels into context for use inside playbooks.

Deprecated. Finds a CSV file in the war room and loads it into context.

Deprecated. Send a notification to another user and add user to the team

Deprecated. Check if a context key is set. Can also optionally provide a value argument to compare against context data for this key.

Deprecated. Returns 'yes' if IP is in subent. Otherwise returns 'no'

Deprecated. Create a new issue on Jira

Deprecated. Fetch issue from Jira

Deprecated. Add new comment to existing Jira issue

Deprecated. Creates (or updates) issue link

Deprecated. Query Jira issues

Deprecated. Upload a file attachments to an issue

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Identify whether the incident includes an attached file. Optional typefilter argument can be used to only match if the filetype includes that string. Same for filename. Filetype is according to the linux "file" command (filemagic format identification).

Deprecated. Extract md5s from the given text and place them both as output and in the context of a playbook

Deprecated. Creates a new scan

Deprecated. Get report for a scan. Triggers an export in the requested file format, waits 5 minutes for it to complete (or whatever timeout given as an argument) , and downloads the report.

Deprecated. Display information about a host within the given scan. The numerical host ID can be retrieved using NessusScanDetails "hosts" section

Deprecated. Launch an existing scan.

Deprecated. Display the list of folders and scans from Nessus.

Deprecated. Show information about the specified scan.

Deprecated. Retrieve current status for the specified scan.

Deprecated. Show templates of the scan editor including the UUIDs needed to create a new scan.

Deprecated. Update information for NetWitness SA incidents.

Deprecated. Activate user

Deprecated. Creates a new user with an option of setting password, recovery question & answer. The new user will immediately be able to login after activation with the assigned password. This flow is common when developing a custom user registration experience.

Deprecated. Deactivate user

Deprecated. Get all user groups

Deprecated. Fetches a specific user when you know the user’s login, please note that one of the parameters bellow is mandatory.

Deprecated. Search for Okta users

Deprecated. Set a new password for user

Deprecated. Update user with a given login, all fields are optional, fields which are not set will not be overriden

Deprecated. Retrieve details for a specific event from ProtectWise

Deprecated. Retrieve information about a PCAP related to the specified event.

Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.

Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.

Deprecated. Display details about the specified ProtectWise Observation.

Deprecated. Display information about the PCAPs related to the specified ProtectWise Observations.

Deprecated. Query for ProtectWise observations. Supports a comma-separated list of sensor IDs - will query each sensor with the given parameters.

Deprecated. List the available ProtectWise sensors or retrieve information for a specific sensor using its id

Deprecated. Blocks IP with Panorama

Deprecated. Commit configuration to panorama

Deprecated. Set panorama configuration

Deprecated. Register/Unregister to address group with Panorama

Deprecated. Use the "panorama-move-rule" command instead.

Deprecated. Use the "panorama-get-pcap" command instead.

Deprecated. Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. Requires pip and access to python repository to install "olefile" package. This script is deprecated, use ParseEmailFiles.

Deprecated. use ParseEmailFiles parse_only_headers=true. This automation parses headers from an email file.

Deprecated. Full search through QRadar advance query languages

Deprecated. Gets a specific search id

Deprecated. Gets search results

Deprecated. Gets offenses from qradar

Deprecated. Searches in QRadar

Deprecated. Load the contents and metadata of a PDF file into context.

Deprecated. Query a relational DB using SQL

Deprecated. Scans ip/hostname with Symantec Endpoint Protection. DEPRECATED - this automation is deprecated as it was replaced by sep-scan-endpoint command in 'Symantec Endpoint Protection V2' integration.

Deprecated. List tickets from ServiceNow

Deprecated. Create a ServiceNow ticket.

Deprecated. Update a ServiceNow ticket.

Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead.

Deprecated. use SearchIncidentsV2 instead.

Deprecated. please use the send-mail command instead Send an email with the specified parameters. Attachments are provided as a comma-separated list of entry IDs. Example usage - !SendEmail subject="File from war room" body="Please see the attached file. --DBot" to=jane@acme.com cc=john@acme.com attachIDs=89@3,46@3

Deprecated. Sets current incident custom fields. (Deprecated. Use the setIncident command to set incident custom fields.)

Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments.

Deprecated. Mirror an incident to a Slack private channel. You can chose what to mirror with the type argument. A Slack private channel will be created and the incident team invited. Messages on Slack will be reflected in the war room and vice versa.

Deprecated. Send messages to Slack teams

Deprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host.

Deprecated. Run a query through Splunk and format the results as a table

Deprecated. Run a query through Splunk and format the results as a markdown with raw data parsed as JSON

Deprecated. Approve all pending actions using the specified package names.

Deprecated. Send a request for a formatted result of a saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information

Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).

Deprecated. Execute an action, optionally with parameters, and filtering - based on an existing package. See https://kb.tanium.com/SOAP for more information

Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).

Deprecated. Send a request for a formatted result of a saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information

Deprecated. Process a suspected email and check URLs, attachments and sender via reputation services

Deprecated. Extract URLs from the given text and place them both as output and in the context of a playbook

Deprecated. use "Detonate File - VMRay playbook instead"

Deprecated. use "Detonate File - VMRay playbook instead"

Deprecated. Classifying Vectra incidents

Deprecated. Detection objects contain all the information related to security events detected on the network

Deprecated. Get detections by host id

Deprecated. Get host by id

Deprecated. The health configuration can be used to retrieve system health statistics such as subnet counts, traffic bandwidth, headend and sensor information

Deprecated. Host information includes data that correlates the host data to detected security events

Deprecated. The sensors branch can retrieve a listing of sensors that collect and feed data to the X-series

Deprecated. The settings information includes S-series sensor and X-series configurations input by the administrator

Deprecated. Summarize a Vectra incident (after incident was put into context)\nThe script extract malicious ip's and hashes if exists

Deprecated. The rules branch can be used to retrieve a listing of configured Triage rules

Deprecated. Query Virustotal with a file hash

Deprecated. While loop is utility script, to do while loops on specific commands or scripts, it will allow you to loop over until ${keyToWatch} field is in the context. Please make sure timeout of the script also sufficient for the loop.

Deprecated. While not MD loop is utility script, to do while loops on specific commands, it will allow you to loop over until some condition is fulfilled (Contents (MD) != value). Please make sure timeout of the script also sufficient for the loop.

Deprecated. Do WHOIS lookup on multiple domains

Deprecated. A simple script that outputs a shorter summary of the !whois command output

Deprecated. Use the "wildfire-report" command instead.

Deprecated. Use the "wildfire-upload" command instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. The recommended way to generate documentation is via the demisto-sdk.
See: https://xsoar.pan.dev/docs/integrations/integration-docs

Deprecated. The recommended way to generate documentation is via the demisto-sdk.
See: https://xsoar.pan.dev/docs/integrations/integration-docs

Deprecated. Use UnEscapeURLs instead. Decode ProofPoint URLs to get the actual URLs.

Deprecated. Use the SlackAsk script instead.