Get indicators internal Dbot score
Common Playbooks
- Details
- Content
- Dependencies
- Version History
Frequently used playbooks pack.
Name | Description |
---|---|
DBot Indicator Enrichment - Generic | |
Cloud Credentials Rotation - Generic | Cloud Credentials Rotation - GenericThis comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-PlaybookIn order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook:
GCP Sub-Playbook:
Azure Sub-Playbook:
|
File Enrichment - Generic v2 | Enrich a file using one or more integrations.
|
Search And Delete Emails - Generic | Deprecated. Use |
Calculate Severity By Highest DBotScore | Calculates the incident severity level according to the highest DBotScore. |
Block Indicators - Generic v3 | This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
|
Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file.
|
Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. |
Block Email - Generic | Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration. |
Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
|
Search and Compare Process Executions - Generic | This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
|
Detonate URL - Generic | Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation. |
Unzip File | This playbook checks whether a file has an extension that supports unzipping, and unzips the file. |
Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations.
|
SIEM - Search for Failed logins | This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: |
Retrieve File from Endpoint - Generic | Deprecated. Use
|
Detonate File - Generic | Detonate files through one or more active integrations that support file detonation.
|
Block Account - Generic | Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Search And Block Software - Generic | This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
|
Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
Cloud Response - Generic | This playbook provides response playbooks for:
The response actions available are:
|
Block Domain - Generic v2 | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Dedup - Generic v4 | This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). Note: To identify similar incidents you must properly define the playbook inputs. |
Search For Hash In Sandbox - Generic | This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently, supported sandboxes are Falcon Intelligence Sandbox, Wildfire and Joe Sandbox. |
Send Investigation Summary Reports | This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users. |
IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations.
When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. |
Cloud Compute Enrichment - Generic | This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources. |
Detonate and Analyze File - Generic | This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire. |
Block Indicators - Generic v2 | Deprecated. Use the
|
Get File Sample From Path - Generic | Deprecated. Use inputs:
|
GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option. |
Retrieve File from Endpoint - Generic V2 | Deprecated. Use
|
Search Endpoint by CVE - Generic | Hunt for assets with a given CVE using available tools |
Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks:
|
CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations:
|
IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations.
|
Block Domain - Generic | Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
User Investigation - Generic | This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: |
Cloud IAM Enrichment - Generic | This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP). |
IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations.
|
File Enrichment - File reputation | Get file reputation using one or more integrations |
Cloud User Investigation - Generic | This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. |
Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods. |
Calculate Severity - Standard | Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook. |
Block Email - Generic v2 | This playbook will block emails at your mail relay integration. Supported integrations for this playbook:
|
Get endpoint details - Generic | Deprecated. Use the
|
Block URL - Generic v2 | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook:
|
Get File Sample By Hash - Generic v2 | Deprecated. Use
|
Domain Enrichment - Generic v2 | Enrich domains using one or more integrations.
|
Block Account - Generic v2 | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. |
Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
Get File Sample From Path - Generic V2 | Deprecated. Use |
Calculate Severity - Indicators DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
Detonate URL - Generic v1.5 | Detonate URL through one or more active integrations that support URL detonation.
|
Get User Devices - Generic | This playbook retrieves information on all of the associated user devices.
Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions:
|
Block URL - Generic | Deprecated. Use 'Block URL - Generic v2' instead. |
Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. |
Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
|
Search Endpoints By Hash - Generic V2 | Hunt using available tools |
Get File Sample - Generic | Retrieves files from endpoints by the file hash or the file path. |
Get User Devices by Email Address - Generic | This playbook retrieves information on all of the associated user devices, based on the user email.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Send Investigation Summary Reports Job | You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports. |
Isolate Endpoint - Generic | Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead. |
Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers:
|
Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:
|
Calculate Severity - Generic v2 | Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
|
Cloud Enrichment - Generic | Generic Cloud Enrichment PlaybookThe Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks
The playbook supports a single CSP enrichment at a time. |
Calculate Severity - 3rd-party integrations | Calculates the incident severity level according to the methodology of a 3rd-party integration. |
Indicator Registration Polling - Generic | This playbook polls all indicators to check if they exist. |
Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations.
Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. |
Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense. |
Get host forensics - Generic | This playbook retrieves forensics from hosts for the following integrations:
|
URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes:
|
Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
Dedup - Generic v3 | Deprecated. Use the
|
Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
Command-Line Analysis | This playbook takes a command line from the alert and performs the following actions:
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input". |
Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:
|
Get Original Email - Generic | Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead. |
Email Address Enrichment - Generic v2.1 | Enrich email addresses.
|
Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
Block IP - Generic v2 | Deprecated. Use the Supported integrations for this playbook:
|
Get Cloud Account Owner - Generic | Retrieves the owners of a cloud account based on account ID.
|
Get User Devices by Username - Generic | This playbook retrieves information on all of the associated user devices, based on the user's username.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Block File - Generic v2 | This playbook is used to block files from running on endpoints.
|
Name | Description |
---|---|
Block File - Generic v2 | This playbook is used to block files from running on endpoints.
|
Get Email From Email Gateway - Generic | This playbook retrieves a specified EML/MSG file directly from the email security gateway product. |
Cloud Compute Enrichment - Generic | This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources. |
Email Headers Check - Generic | This playbook executes one sub-playbook and one automation to check the email headers:
|
Field Polling - Generic | This playbook polls a field to check if a specific value exists. |
Dedup - Generic v4 | This playbook identifies duplicate alerts using the Cortex machine learning method (script). Note: To identify similar alerts you must properly define the playbook inputs. |
Enrichment for Verdict | This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict. |
Isolate Endpoint - Generic V2 | This playbook isolates a given endpoint using various endpoint product integrations. |
Block Domain - Generic | Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Cloud Enrichment - Generic | Generic Cloud Enrichment PlaybookThe Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks
The playbook supports a single CSP enrichment at a time. |
File Reputation | This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components:
Note: a user can provide a list of trusted signers of his own using the playbook inputs |
Eradication Plan - Delete File | This playbook is one of the sub-playbooks in the eradication plan. |
Domain Enrichment - Generic v2 | Enrich domains using one or more integrations.
|
IP Enrichment - External - Generic v2 | Enrich IP addresses using one or more integrations.
|
SIEM - Search for Failed logins | This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: |
Containment Plan - Isolate Device | Containment Plan - Isolate DeviceThis playbook is a sub-playbook within the containment plan playbook. |
Search And Block Software - Generic | This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
|
Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. |
Eradication Plan | This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks:
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. |
Extract Indicators From File - Generic v2 | This playbook extracts indicators from a file.
|
Get File Sample By Hash - Generic v2 | Deprecated. Use
|
Search and Compare Process Executions - Generic | This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
|
Cloud IAM Enrichment - Generic | This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP). |
Retrieve File from Endpoint - Generic | Deprecated. Use
|
Cloud User Investigation - Generic | This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. |
Dedup - Generic v3 | Deprecated. Use the
|
Eradication Plan - Terminate Process | This playbook is one of the sub-playbooks in the eradication plan. |
Get endpoint details - Generic | Deprecated. Use the
|
Recovery Plan | This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
Block URL - Generic | Deprecated. Use 'Block URL - Generic v2' instead. |
Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations.
Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. |
Get File Sample - Generic | Retrieves files from endpoints by the file hash or the file path. |
Get User Devices - Generic | This playbook retrieves information on all of the associated user devices.
Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions:
|
Containment Plan | This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks:
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details. |
Get Original Email - Generic | Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead. |
IP Enrichment - Internal - Generic v2 | Enrich Internal IP addresses using one or more integrations.
|
Containment Plan - Disable Account | Containment Plan - Disable AccountThis playbook is a sub-playbook within the containment plan playbook. |
Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
Dedup - Generic v2 | Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate alerts using one of the supported methods. |
Get File Sample By Hash - Generic v3 | This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:
|
CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations:
|
URL Enrichment - Generic v2 | Enrich URLs using one or more integrations. URL enrichment includes:
|
Command-Line Analysis | This playbook takes a command line from the alert and performs the following actions:
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input". |
Ticket Management - Generic |
|
Send Investigation Summary Reports | This playbook iterates over closed alerts, generates a summary report for each closed alert, and emails the reports to specified users. |
Retrieve File from Endpoint - Generic V2 | Deprecated. Use
|
Detonate URL - Generic | Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation. |
Calculate Severity - 3rd-party integrations | Calculates the alert severity level according to the methodology of a 3rd-party integration. |
Indicator Registration Polling - Generic | This playbook polls all indicators to check if they exist. |
Retrieve File from Endpoint - Generic V3 | 'This playbook retrieves a file sample from an endpoint using the following playbooks:'
|
Handle False Positive Alerts | This playbook handles false positive alerts. |
Email Address Enrichment - Generic v2.1 | Enrich email addresses.
|
Unzip File | This playbook checks whether a file has an extension that supports unzipping, and unzips the file. |
Calculate Severity By Highest DBotScore | Calculates the alert severity level according to the highest DBotScore. |
IP Enrichment - Generic v2 | Enrich IP addresses using one or more integrations.
When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance. |
Wait Until Datetime | Pauses execution until the date and time that was specified in the plabyook input is reached. |
Get User Devices by Username - Generic | This playbook retrieves information on all of the associated user devices, based on the user's username.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
DBot Indicator Enrichment - Generic | Get indicators internal Dbot score |
Block Indicators - Generic v2 | Deprecated. Use the
|
Block Domain - Generic v2 | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook:
|
Containment Plan - Quarantine File | Containment Plan - Quarantine FileThis playbook is a sub-playbook within the containment plan playbook. |
Get Cloud Account Owner - Generic | Retrieves the owners of a cloud account based on account ID.
|
Entity Enrichment - Generic v3 | Enrich entities using one or more integrations. |
Block Email - Generic | Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration. |
Block Account - Generic v2 | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
Threat Hunting - Generic | This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:
|
Endpoint Enrichment - Generic v2.1 | Enrich an endpoint by hostname using one or more integrations.
|
Get File Sample From Path - Generic V2 | Deprecated. Use |
Block URL - Generic v2 | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook:
|
Endpoint Investigation Plan | This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the alert:
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
Block Email - Generic v2 | This playbook will block emails at your mail relay integration. Supported integrations for this playbook:
|
Detonate URL - Generic v1.5 | Detonate URL through one or more active integrations that support URL detonation.
|
Containment Plan - Clear User Sessions | Containment Plan - Clear User SessionsThis playbook is a sub-playbook within the containment plan playbook. |
GenericPolling | Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option. |
Calculate Severity - Generic v2 | Calculate and assign the alert severity based on the highest returned severity level from the following calculations:
|
File Enrichment - File reputation | Get file reputation using one or more integrations |
Eradication Plan - Reset Password | This playbook is one of the sub-playbooks in the eradication plan. |
Search Endpoints By Hash - Generic V2 | Hunt using available tools |
Calculate Severity - Standard | Calculates and sets the alert severity based on the combination of the current alert severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook. |
Block IP - Generic v2 | Deprecated. Use the Supported integrations for this playbook:
|
Get File Sample From Path - Generic | Deprecated. Use inputs:
|
Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:
|
Containment Plan - Block Indicators | Containment Plan - Block IndicatorsThis playbook is a sub-playbook within the containment plan playbook. Indicator BlockingThe playbook block indicators by two methods:
|
Block Indicators - Generic v3 | This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
|
Get File Sample From Path - Generic V3 | This playbook returns a file sample from a specified path and host that you input in the following playbooks:
|
Detonate and Analyze File - Generic | This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire. |
Unisolate Endpoint - Generic | This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
|
Cloud Credentials Rotation - Generic | Cloud Credentials Rotation - GenericThis comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-PlaybookIn order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook:
GCP Sub-Playbook:
Azure Sub-Playbook:
|
Get User Devices by Email Address - Generic | This playbook retrieves information on all of the associated user devices, based on the user email.
Note that not all of the supported integrations will be able to retrieve this information. Supported integrations:
|
Block Account - Generic | Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook:
|
User Investigation - Generic | This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: |
Search And Delete Emails - Generic | Deprecated. Use |
Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. |
Get prevalence for IOCs | The playbook queries the analytics module to receive the prevalence of an IOC. Supported IOC:
|
Search Endpoint by CVE - Generic | Hunt for assets with a given CVE using available tools |
File Enrichment - Generic v2 | Enrich a file using one or more integrations.
|
Entity Enrichment - Generic v2 | Enrich entities using one or more integrations |
Search And Delete Emails - Generic v2 | This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense. |
Get host forensics - Generic | This playbook retrieves forensics from hosts for the following integrations:
|
Detonate File - Generic | Detonate files through one or more active integrations that support file detonation.
|
Cloud Response - Generic | This playbook provides response playbooks for:
The response actions available are:
|
Isolate Endpoint - Generic | Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead. |
Calculate Severity - Indicators DBotScore | Calculates the alert severity level according to the highest indicator DBotScore. |
Pack Name | Pack By |
---|---|
Base | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Filters And Transformers | By: Cortex XSOAR |
Rasterize | By: Cortex XSOAR |
Pack Name | Pack By |
---|---|
Cortex REST API | By: Cortex XSOAR |
Common Scripts | By: Cortex XSOAR |
Base | By: Cortex XSOAR |
Rasterize | By: Cortex XSOAR |
Filters And Transformers | By: Cortex XSOAR |
Playbooks
Extract Indicators From File - Generic v2
- Fixed an issue where certain PDF files would result in incorrect paths taken by the playbook.
- Improved handling of unreadable, encrypted or invalid PDFs in the playbook. Unreadable PDFs will no longer cause errors in the playbook, but will be skipped from the PDF extraction flow.
- Fixed an issue where the filters were not consistent across the condition and extraction tasks in the PDF file extraction flow, which could result in unexpected extractions.
- 39753
Download
Playbooks
Get User Devices - Generic
- Documentation and metadata improvements.
Search And Block Software - Generic
- Documentation and metadata improvements.
User Investigation - Generic
- Documentation and metadata improvements.
Get User Devices by Email Address - Generic
- Documentation and metadata improvements.
Block Account - Generic v2
- Documentation and metadata improvements.
Command-Line Analysis
- Documentation and metadata improvements.
Get Cloud Account Owner - Generic
- Documentation and metadata improvements.
Account Enrichment - Generic v2.1
- Documentation and metadata improvements.
Get User Devices by Username - Generic
- Documentation and metadata improvements.
- 37696
Download
Playbooks
Command-Line Analysis
Added new tasks to check for suspicious paths and arguments in the command line. The results will be added to the 'CommandlineVerdict' output under the 'CommandlineVerdict.SuspiciousCmdPathAndArguments' key and will influence the overall verdict.
- 37029
Download
Playbooks
Detonate URL - Generic
- Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-url command instead of the deprecated opswat-filescan-scan-url command.
Detonate File - Generic
- Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-file command instead of the deprecated opswat-filescan-scan-file command.
- 35595
Download
Playbooks
Block IP - Generic v3
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
Block Account - Generic v2
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
Block URL - Generic v2
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
- 35133
Download
Playbooks
Extract Indicators From File - Generic v2
- Fixed an issue where certain PDF files would result in incorrect paths taken by the playbook.
- Improved handling of unreadable, encrypted or invalid PDFs in the playbook. Unreadable PDFs will no longer cause errors in the playbook, but will be skipped from the PDF extraction flow.
- Fixed an issue where the filters were not consistent across the condition and extraction tasks in the PDF file extraction flow, which could result in unexpected extractions.
- 39753
Download
Playbooks
Get User Devices - Generic
- Documentation and metadata improvements.
Endpoint Investigation Plan
- Documentation and metadata improvements.
Search And Block Software - Generic
- Documentation and metadata improvements.
User Investigation - Generic
- Documentation and metadata improvements.
Eradication Plan - Reset Password
- Documentation and metadata improvements.
Containment Plan - Isolate Device
- Documentation and metadata improvements.
Enrichment for Verdict
- Documentation and metadata improvements.
Get User Devices by Email Address - Generic
- Documentation and metadata improvements.
Block Account - Generic v2
- Documentation and metadata improvements.
Command-Line Analysis
- Documentation and metadata improvements.
Get Cloud Account Owner - Generic
- Documentation and metadata improvements.
Account Enrichment - Generic v2.1
- Documentation and metadata improvements.
Get User Devices by Username - Generic
- Documentation and metadata improvements.
Containment Plan - Disable Account
- Documentation and metadata improvements.
- 37696
Download
Playbooks
Command-Line Analysis
Added new tasks to check for suspicious paths and arguments in the command line. The results will be added to the 'CommandlineVerdict' output under the 'CommandlineVerdict.SuspiciousCmdPathAndArguments' key and will influence the overall verdict.
- 37029
Download
Playbooks
Detonate URL - Generic
- Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-url command instead of the deprecated opswat-filescan-scan-url command.
Detonate File - Generic
- Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-file command instead of the deprecated opswat-filescan-scan-file command.
- 35595
Download
Playbooks
Block IP - Generic v3
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
Block Account - Generic v2
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
Block URL - Generic v2
- Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).
- 35133
Download
PUBLISHER
PLATFORMS
INFO
Certification | Certified | Read more |
Supported By | Cortex | |
Created | August 17, 2020 | |
Last Release | May 6, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:




































































































































