Deprecated Content

Deprecated. Malware detection and analysis based on code reuse.

Deprecated. Provides threat analysts and incident response teams with the advanced malware isolation and inspection environment, needed to safely execute advanced malware samples and understand their behavior.

Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers.

Deprecated. Mimecast unified email management offers cloud email services for email security, continuity and archiving emails

Deprecated. Use LockPath KeyLight v2.

Deprecated. Perform malware dynamic analysis

Deprecated. Analyzes suspicious domains and IP addresses

Deprecated. Exchange Web Services and Office 365 (mail)

Deprecated. We recommend using AlienVault OTX v2 instead. Query IOCs in AlienVault

Deprecated. Issue tracking product, developed by Atlassian

Deprecated. Unified security management and advanced threat protection across hybrid cloud workloads.

Deprecated. Use the Have I Been Pwned? V2 integration instead. Checks whether emails or domains have been compromised in recent breaches, using the Have I Been Pwned? service.

Deprecated. Create and Manage Azure Virtual Machines

Deprecated. Search CVE Information - powered by circl.lu

Deprecated. AWS - amazon public cloud , EC2 service

Deprecated. ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).

Deprecated. Manage Endpoints using Cylance protect

Deprecated. We recommend using ExtraHop Reveal(x) instead. ExtraHop performs real-time stream analysis of the packets that carry data across a network.

Deprecated. Secdo's automated incident response platform hunts threats in real time and delivers an endpoint detection and response solution.

Deprecated. At the heart of the solution, the Metadefender multi-scanning engine uses 30+ anti-malware engines to scan files for threats, significantly increasing malware detection.

Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products

Deprecated. Proofpoint's Targeted Attack Protection (TAP) helps protect against and provide additional visibility into phishing and other malicious email attacks.

Deprecated. use Shodan v2 instead. Search engine for Internet-connected devices.

Deprecated. Creates Access Key and Secret Key for Mimecast API

Deprecated. Query the Symantec Endpoint Protection Manager using the official REST API- DEPRECATED. Please use Symantec Endpoint Protection V2 integration instead.

Deprecated. Malware Information Sharing Platform and Threat Sharing (This integration is deprecated, use MISP V2 instead)

Deprecated. Human-vetted, Phishing-specific Threat Intelligence from Phishme. Deprecated. Use the Cofense Intelligence integration instead.

Deprecated. Use The Generic SQL integration instead.

Deprecated. Use Kenna v2.

Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence.

Deprecated. Magnifier Behavioral Analytics empowers organizations to quickly find and stop the stealthiest network threats.

Deprecated. Common code that will be merged into each server integration when it runs

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Detection objects contain all the information related to security events detected on the network

Deprecated. Use the "panorama-get-pcap" command instead.

Deprecated. Search mails in Exchange Web Server

Deprecated. Query Jira issues

Deprecated. Deactivate user

Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.

Deprecated. This script is deprecated. Use the Cylance integration instead.

Deprecated. Inserts incident info and labels into context for use inside playbooks.

Deprecated. Add new comment to existing Jira issue

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Retrieve details for a specific event from ProtectWise

Deprecated. Execute an action, optionally with parameters, and filtering - based on an existing package. See https://kb.tanium.com/SOAP for more information

Deprecated. Classify an incident from mail.

Deprecated. Extract URLs from the given text and place them both as output and in the context of a playbook

Deprecated. Query a relational DB using SQL

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Mirror an incident to a Slack private channel. You can chose what to mirror with the type argument. A Slack private channel will be created and the incident team invited. Messages on Slack will be reflected in the war room and vice versa.

Deprecated. Display information about the PCAPs related to the specified ProtectWise Observations.

Deprecated. Gets a specific search id

Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments.

Deprecated. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as - labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.

Deprecated. Returns all Demisto modules (integrations instances)

Deprecated. Trigger an ePO Client Task to update AV signatures for specific endpoints

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).

Deprecated. Sets current incident custom fields. (Deprecated. Use the setIncident command to set incident custom fields.)

Deprecated. Deletes a role assignment.

Deprecated. Query CrowdStrike indicators based on given parameters.

Deprecated. Check whether the given item is in the whitelist

Deprecated. use "WildFire - Detonate File" playbook instead

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. Query for ProtectWise observations. Supports a comma-separated list of sensor IDs - will query each sensor with the given parameters.

Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.

Deprecated. Finds a CSV file in the war room and loads it into context.

Deprecated. Commit configuration to panorama

Deprecated. Send messages to Slack teams

Deprecated. Display details about the specified ProtectWise Observation.

Deprecated. use ParseEmailFiles parse_only_headers=true. This automation parses headers from an email file.

Deprecated. While loop is utility script, to do while loops on specific commands or scripts, it will allow you to loop over until ${keyToWatch} field is in the context. Please make sure timeout of the script also sufficient for the loop.

Deprecated. Delete access rule objects configured in Checkpoint FW.

Deprecated. Send a request for a formatted result of a saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Set a new password for user

Deprecated. We recommend using extractIndicators command instead. Extract Domains from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. Get all user groups

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Activate user

Deprecated. Send a notification to another user and add user to the team

Deprecated. Common code that will be merged into each server integration when it runs

Deprecated. Evaluate reputation of an IP and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Classifying Vectra incidents

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Creates a new scan

Deprecated. Update a ServiceNow ticket.

Deprecated. Block one or more IP addresses using Checkpoint Firewall.

Deprecated. Query Virustotal with a file hash

Deprecated. Set a new password for an Active Directory user

Deprecated. Send a request for a formatted result of a saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information

Deprecated. Evaluate reputation of a hash and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Create a new issue on Jira

Deprecated. Use Active Directory to retrieve the groups in which the specified user is a member. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. We recommend using extractIndicators command instead. Extract Emails from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Query ipinfo.io regarding an IP address. Returns a table, or if a specific field is selected, just the value for that field as a string.

Deprecated. Do WHOIS lookup on multiple domains

Deprecated. Searches in QRadar

Deprecated. The settings information includes S-series sensor and X-series configurations input by the administrator

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. Display the list of folders and scans from Nessus.

Deprecated. Launch an existing scan.

Deprecated. Blocks IP with Panorama

Deprecated. Returns Demisto users

Deprecated. Check if a context key is set. Can also optionally provide a value argument to compare against context data for this key.

Deprecated. Show information about the specified scan.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. Set incident severity according to indicators found in an confer alert

Deprecated. Use Active Directory to retrieve the user associated with the specified email address.

Deprecated. Host information includes data that correlates the host data to detected security events

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. Aggregating several context items for IOCs into a single list

Deprecated. use "Detonate File - VMRay playbook instead"

Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Run a query through Splunk and format the results as a table

Deprecated. The recommended way to generate documentation is via the demisto-sdk.
See: https://xsoar.pan.dev/docs/integrations/integration-docs

Deprecated. List tickets from ServiceNow

Deprecated. Get reputation for IPs in the incident or given raw text

Deprecated. use the cb-binary command and cb-get-processes command, instead.

Deprecated. Retrieve DAT version currently installed in the given ePO server

Deprecated. please use the send-mail command instead Send an email with the specified parameters. Attachments are provided as a comma-separated list of entry IDs. Example usage - !SendEmail subject="File from war room" body="Please see the attached file. --DBot" to=jane@acme.com cc=john@acme.com attachIDs=89@3,46@3

Deprecated. Blocks IP in configured firewall

Deprecated. Upload a file attachments to an issue

Deprecated. Use the SlackAsk script instead.

Deprecated. Search Carbon Black for connection to specified md5 hash(es).

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Retrieve current status for the specified scan.

Deprecated. This script is deprecated. The demistobot endpoint is no longer supported.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Use Active Directory to retrieve the groups in which the specified computer is a member. The member computer can be specified by name or by DN.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Modify incident info such as name, owner, type, etc.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. Get AWS EC2 instance details

Deprecated. While not MD loop is utility script, to do while loops on specific commands, it will allow you to loop over until some condition is fulfilled (Contents (MD) != value). Please make sure timeout of the script also sufficient for the loop.

Deprecated. Returns 'yes' if IP is in subent. Otherwise returns 'no'

Deprecated. Connect to a checkpoint firewall appliance using SSH and retrieve status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.

Deprecated. Get host by id

Deprecated. Use Active Directory to retrieve the email address associated with all users.

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. Creates (or updates) issue link

Deprecated. Use Active Directory to get common groups between supplied users.

Deprecated. Trigger a Server Task in specific ePO servers to pull latest signatures from update server

Deprecated. Show host objects configured in Checkpoint FW.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. Set panorama configuration

Deprecated. Retrieve the list of User objects stored in Active Directory. Use the "attributes" argument to include specific attributes in the results.

Deprecated. List the available ProtectWise sensors or retrieve information for a specific sensor using its id

Deprecated. Show templates of the scan editor including the UUIDs needed to create a new scan.

Deprecated. The rules branch can be used to retrieve a listing of configured Triage rules.

Deprecated. Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Retrieve the list of Computer objects stored in Active Directory. Use the attributes argument to include specific attributes in the results.

Deprecated. Use UnEscapeURLs instead. Decode ProofPoint URLs to get the actual URLs.

Deprecated. We recommend using extractIndicators command instead. Extract md5, sha1, sha256 from the given text and place them both as output and in the context of a playbook

Deprecated. Use Active Directory to retrieve the list of users or computers that are members of the specified group. Group must be given by its AD Distinguished Name. The attributes argument receives a comma-separated list of additional attributes you wish to be displayed in the results.nExample usage !ADGetGroupMembers memberType=user groupdn=CN=Administrators,CN=Builtin,DC=acme,DC=int attributes=name,email

Deprecated. Check a list of ePO servers to see if they are up to date.

Deprecated. Get report for a scan. Triggers an export in the requested file format, waits 5 minutes for it to complete (or whatever timeout given as an argument) , and downloads the report.

Deprecated. Get detections by host id

Deprecated. The script returns a value from context

Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.

Deprecated. List the number devices that match each IOC in query - limited to sha256, sha1, md5 and domain types

Deprecated. Use the "wildfire-upload" command instead.

Deprecated. Create a ServiceNow ticket.

Deprecated. Scans ip/hostname with Symantec Endpoint Protection. DEPRECATED - this automation is deprecated as it was replaced by sep-scan-endpoint command in 'Symantec Endpoint Protection V2' integration.

Deprecated. Use Active Directory to check if the specified user is a member of the specified group. Returns simply yes/no. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. Use Active Directory to retrieve the list of users who are members of the specified group. Group must be given by its AD Distinguished Name. The \"attributes\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\nExample usage !ADGetGroupUsers groupdn=CN=Domain Admins,CN=Users,DC=demisto,DC=com attributes=badPwdCount,memberOf

Deprecated. Display the incident details retrieved from Confer in a readable format

Deprecated. Extract md5s from the given text and place them both as output and in the context of a playbook

Deprecated. Update user with a given login, all fields are optional, fields which are not set will not be overriden

Deprecated. Display information about a host within the given scan. The numerical host ID can be retrieved using NessusScanDetails "hosts" section

Deprecated. Search the messages in the user's mailbox.

Deprecated. Check latest version of the DAT AV signature update.

Deprecated. Retrieves a paginated list of either deleted users or all users in a domain

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead.

Deprecated. Gets offenses from qradar

Deprecated. Retrieve the list of User objects stored in Active Directory and include an extended list of attributes and information about each user. Use the "attributes" argument to include additional specific attributes in the results.

Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.

Deprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host.

Deprecated. Retrieves a list of all roleAssignments.

Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).

Deprecated. Gets the specified message.

Deprecated. List devices that match a specific IOC - an IOC ran on them - limited to sha256, sha1, md5 and domain types

Deprecated. Iterate on all file artifacts in the investigation and return details of positives

Deprecated. Use the Elasticsearch v2 integration instead.

Runs an Elasticsearch query and displays results in a table.

Deprecated. Run Active Directory queries

Deprecated. Approve all pending actions using the specified package names.

Deprecated. This script is deprecated. LightCyber Magna is no longer available.

Deprecated. List all configured instances of ePO integration.

Deprecated. Set attributes of an access rule object configured in Checkpoint FW.

Deprecated. A simple script that outputs a shorter summary of the !whois command output

Deprecated. Gets search results

Deprecated. Use the ad-get-computer command in the Active Directory Query v2 instead.
Use Active Directory to retrieve detailed information about a computer account. The computer can be specified by name, email, or as an Active Directory Distinguished Name (DN).
If no filters are provided, the result will show all computers.

Deprecated. Use Active Directory to retrieve the email address associated with the specified user. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).

Deprecated. This script is deprecated. Use the Exabeam integration instead.

Deprecated. Connect to a checkpoint firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.

Deprecated. Shows status of a checkpoint task by task uuid.

Deprecated. Use Active Directory to retrieve the list of computers that are members of the specified group. Group must be given by its AD Distinguished Name. The \"attributes\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\nExample usage - !ADGetGroupComputers groupdn=\"CN=ImportantComputers,DC=demisto,DC=com\" attributes=operatingsystem

Deprecated. The recommended way to generate documentation is via the demisto-sdk.
See: https://xsoar.pan.dev/docs/integrations/integration-docs

Deprecated. Use Active Directory to retrieve the email address associated with all users.

Deprecated. Query CrowdStrike actors based on given parameters. For fields like countries and industries, multiple values can be passed separated by ','.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. Search for Okta users

Deprecated. Evaluate reputation of a URL and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.

Deprecated. Identify whether the incident includes an attached file. Optional typefilter argument can be used to only match if the filetype includes that string. Same for filename. Filetype is according to the linux "file" command (filemagic format identification).

Deprecated. Run a query through Splunk and format the results as a markdown with raw data parsed as JSON

Deprecated. Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. Requires pip and access to python repository to install "olefile" package. This script is deprecated, use ParseEmailFiles.

Deprecated. We recommend using extractIndicators command instead. Extract URLs from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.

Deprecated. Creates a new user with an option of setting password, recovery question & answer. The new user will immediately be able to login after activation with the assigned password. This flow is common when developing a custom user registration experience.

Deprecated. Expire the password of an Active Directory user.

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. Summarize a Vectra incident (after incident was put into context)\nThe script extract malicious ip's and hashes if exists

Deprecated. Get reputation for any hash or file in the incident details

Deprecated. Show items in an access rulebase configured in Checkpoint FW.

Deprecated. Extract IPs from the given text and place them both as output and in the context of a playbook

Deprecated. Process a suspected email and check URLs, attachments and sender via reputation services

Deprecated. Register/Unregister to address group with Panorama

Deprecated. Extract Domain from a URL. Domain will include sub-domain as well

Deprecated. Use the Elasticsearch v2 integration instead.

Run a search query using Elasticsearch

Deprecated. Fetch issue from Jira

Deprecated. Retruns Demisto list

Deprecated. Close an investigation

Deprecated. Full search through QRadar advance query languages

Deprecated. Delete Mails with ID's under the context key "ExchangeItemIDs"

Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.

Deprecated. use SearchIncidentsV2 instead.

Deprecated. Fetch info on specific user

Deprecated. Update information for NetWitness SA incidents.

Deprecated. Example of using McAfee ESM (Nitro) with advanced filters

Deprecated. Retrieve information about a PCAP related to the specified event.

Deprecated. The health configuration can be used to retrieve system health statistics such as subnet counts, traffic bandwidth, headend and sensor information

Deprecated. Load the contents and metadata of a PDF file into context.

Deprecated. Delete an incident from Demisto (note action is irreversible)

Deprecated. We recommend using extractIndicators command instead. Extract IPs from the given text and place them both as output and in the context of a playbook.

Deprecated. Holds the logic to choose the ePO repositories to operate on when executing the containing playbook. In the simple default script provided, the instance name is picked manually.

Deprecated. Check the URLs in the incident, or raw text provided as argument, for malicious URLs

Deprecated. Use the "wildfire-report" command instead.

Deprecated. The sensors branch can retrieve a listing of sensors that collect and feed data to the X-series

Deprecated. Fetches a specific user when you know the user’s login, please note that one of the parameters bellow is mandatory.

Deprecated. Use the "panorama-move-rule" command instead.

Deprecated. use "Detonate File - VMRay playbook instead"

Deprecated. Use the "Palo Alto Networks - Hunting And Threat Detection"\ \ playbook instead. Integrations list - Cortex (Traps, PAN-OS, Analytics)\nThis is a multipurpose\ \ playbook used for hunting and threat detection. The playbook receives inputs based\ \ on hashes, IP addresses, or domain names provided manually or from outputs by\ \ other playbooks. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. \nThe output provided\ \ by the playbook facilitates pivoting searches for possibly affected hosts, IP\ \ addresses, or users.

Deprecated. Use the "ExtraHop - Ticket Tracking v2" playbook instead.\ \ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.

Deprecated. Use "McAfee ePO Endpoint Compliance Playbook v2" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures

Deprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations:

• Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.
• Critical assets - Determines if a critical assest is associated with the invesigation.
• 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.

NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.

Deprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields

Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group.

Deprecated. We recommend using Process Email - Generic playbook instead. Add email details into the relevant context entities and handle the case where you have attached original emails.

Deprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files.

Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Get email address reputation using one or more integrations

Deprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools.

Deprecated. We recommend using extractIndicators command instead.
Extract indicators from input data.

Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an Endpoint Hostname using one or more integrations

Deprecated. Add indicators to the relevant Miner using MineMeld.

Deprecated. Use "McAfee ePO Endpoint Connectivity Diagnostics Playbook V2" playbook instead. Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.

Deprecated. Use "Entity Enrichment - Generic v3" playbook instead. Enrich entities using one or more integrations

Deprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.

Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook.

Deprecated. Use "McAfee ePO Repository Compliance Playbook v2" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).

Deprecated. We recommend using Default playbook instead. Enrich data with reputation from the incident. Data is extracted to the standard locations like File, URL, IP.

Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead.
This playbook blocks malicious indicators using all integrations that are enabled.

Supported integrations for this playbook:

• Active Directory
• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks Panorama
• Zscaler
• Carbon Black Enterprise Response

Deprecated. Use the "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich the accounts under the Account context key with details from relevant integrations such as AD.

Deprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black

Deprecated. Use "Enrich McAfee DXL using 3rd party sandbox v2" playbook instead. Example of bridging DXL to a third party sandbox.
Detonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.

Deprecated. Use the "Palo Alto Networks - Endpoint Malware Investigation v3"\ \ playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\ \ generated by Traps. The playbook performs host enrichment for the source host\ \ with Palo Alto Networks Traps, enriches information for the suspicious file with\ \ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\ \ for the extracted file. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. \nThe analyst can\ \ perform a manual memory dump for the suspected endpoint based on the incident’s\ \ severity, and choose to isolate the source endpoint with Traps.\nHunting tasks\ \ to find more endpoints that are infected is performed automatically based on a\ \ playbook input, and after all infected endpoints are found, remediation for all\ \ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\ \ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\ \ Custom URL Categories.\nAfter the investigation review the incident is automatically\ \ closed.

Deprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.

Deprecated. Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead.

Deprecated. Use "URL Enrichment - Generic v2" playbook instead. Enrich URL using one or more integrations.

URL enrichment includes:

• Verify URL SSL
• Threat information
• URL reputaiton
• Take URL screenshot

Deprecated. Use "Email Address Enrichment - Generic v2.1" playbook instead. Enrich email addresses. Email address enrichment involves:

• Getting information from Active Directory for internal addresses
• Getting the domain-squatting reputation for external addresses

Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich Accounts using one or more integrations

Deprecated. Use "File Enrichment - Generic v2" playbook instead. Enrich a file using one or more integrations.

File enrichment includes:

• File history
• Threat information
• File reputation

Deprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available.

Deprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found.

Deprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\ \ files using regular expressions and then hunts for hashes on endpoints in the organization\ \ using available tools.\nThe playbook supports multiple types of attachments. For\ \ the full supported attachments list, refer to \"Extract Indicators From\ \ File - Generic v2\".

Deprecated. Use "PAN-OS Query Logs For Indicators" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device.

Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.

Deprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled.

Supported integrations for this playbook:

• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks Panorama
• Zscaler

Deprecated. Use the QRadar - Get offense correlations v2 instead.\"\nRun on a QRadar offense to get more information\n\n* Get all correlations relevant to the offense\n* Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n* GetCorrelationLogs (default - False)\n* MaxLogsCount (default - 20)

Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation.

Deprecated. We recommend using Phishing investigation - Generic playbook instead.
This is an automated playbook to investigate suspected Phishing attempts.
It picks up the required information from the incident metadata as created by the mail listener.
Labels:

• Email/from: Email address of the user targeted by the suspected phishing attempt, who reported the email by forwarding it
• Email: the to recipients
• Email/cc: the cc recipients
• Email/format: the format of the email - text / html / etc.
• Email/html: the html body
• Email/text: the text body
• Email/subject: subject of the email
• Email/attachments: list of attachments
• Email/headers: the headers for the email

Deprecated. Use the "Extract Indicators From File - Generic v2" playbook instead.\
\ Extracts indicators from a file.
Supported file types:

• PDF
• TXT
• HTM, HTML
• DOC, DOCX

Deprecated. Use "Get File Sample By Hash - Generic v2" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products

Deprecated. Use "Malware Investigation - Manual" playbook instead. Master playbook for investigating suspected malware presence on an endpoint.
Labels:

• System: the hostname for the endpoint being investigated

Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found.

Deprecated. Use the "Get Mails By Folder Paths" playbook instead.

Deprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black.

Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Create a phishing classifier using machine learning technique, based on email content

Deprecated. Use "Endpoint Malware Investigation - Generic" playbook instead. Investigate a malware using one or more integrations

Deprecated. Use "Enrich DXL with ATD verdict v2" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL.
Detonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.

Deprecated. Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.

Deprecated. Use the Failed Login - Slack v2 playbook instead.

Deprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools

Deprecated. Enrich IP using one or more integrations.

IP enrichment includes:

• Resolve IP to Hostname (DNS)
• Threat information
• Separate internal and external addresses
• IP reputation
• For internal addresses, get host information

Deprecated. Use "Domain Enrichment - Generic v2" playbook instead. Enrich Domain using one or more integrations.
Domain enrichment includes:

• Domain reputation
• Threat information

Deprecated. Verify file sample and hostname information for the "Malware Investigation - Generic" playbook.
If the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations

Deprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.

Deprecated. Use "Phishing Investigation - Generic v2" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
The final remediation tasks are always decided by a human analyst.

Deprecated. Use "PAN-OS EDL Setup v3" playbook instead. Configures an external dynamic list in PAN-OS.
In the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.

Deprecated. We recommend using Entity Enrichment - Generic playbook instead. Enrich data with reputation. Data is expected to be found in the standard locations like File, URL, IP.

Deprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications.

Deprecated. Use "PAN-OS - Block IP and URL - External Dynamic List v2" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists.

Deprecated. Use "Endpoint Enrichment - Generic v2.1" playbook instead. Enrich an endpoint by hostname using one or more integrations.
Currently, the following integrations are supported:

• Active Directory
• McAfee ePolicy Orchestrator
• Carbon Black Enterprise Response
• Cylance Protect
• CrowdStrike Falcon Host

Deprecated. - Use PAN-OS Commit Configuration instead.\nIf specified as Panorama, will also push the Policies to the specified Device Group in the instance. (please use pan-os-commit-configuration instead)

Deprecated. Use "DBot Create Phishing Classifier V2" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP.

Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich accounts using one or more integrations. Supported integrations - - Active Directory

Deprecated. Use "Dedup - Generic v2" playbook instead. This playbook identifies duplicate incidents using one of the supported methods.

Deprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response.