Common Playbooks

Details
Content
Dependencies
Version History

Frequently used playbooks pack.

Playbooks

Name	Description
Entity Enrichment - Generic v2	Enrich entities using one or more integrations
Isolate Endpoint - Generic	Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead.
Get endpoint details - Generic	Deprecated. Use the `Endpoint Enrichment - Generic v2.1` playbook instead. This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: Palo Alto Networks Cortex XDR - Investigation and Response. CrowdStrike Falcon.
Get User Devices by Email Address - Generic	This playbook retrieves information on all of the associated user devices, based on the user email. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: jamf v2 Google Workspace (Gsuite) ServiceNow v2 Active Directory Query v2 Microsoft Graph API (In order to get devices details, provide the permissions as mentioned here: https://learn.microsoft.com/en-us/graph/api/user-list-owneddevices?view=graph-rest-1.0&tabs=http )
Context Polling - Generic	This playbook polls a context key to check if a specific value exists.
Get host forensics - Generic	This playbook retrieves forensics from hosts for the following integrations: Illusive Networks Microsoft Defender For Endpoint.
Calculate Severity - Indicators DBotScore	Calculates the incident severity level according to the highest indicator DBotScore.
Get File Sample From Path - Generic V2	Deprecated. Use `Get File Sample From Path - Generic V3` instead. This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Calculate Severity - Standard	Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook.
Search For Hash In Sandbox - Generic	This playbook searches for a specific hash in the supported sandboxes. If the hash is known, the playbook provides a detailed analysis of the sandbox report. Currently, supported sandboxes are Falcon Intelligence Sandbox, Wildfire and Joe Sandbox.
Indicator Registration Polling - Generic	This playbook polls all indicators to check if they exist.
Block Account - Generic	Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher.
Dedup - Generic v4	This playbook identifies duplicate incidents using the Cortex XSOAR machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other incidents in the Cortex XSOAR database. Note: To identify similar incidents you must properly define the playbook inputs.
SIEM - Search for Failed logins	This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: -Splunk -QRadar -Azure Log Analytics.
Get User Devices - Generic	This playbook retrieves information on all of the associated user devices. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions: Get User Devices by Username - Generic Get User Devices by Email Address - Generic
CVE Enrichment - Generic v2	This playbook performs CVE Enrichment using the following integrations: VulnDB CVE Search IBM X-Force Exchange
Detonate File - Generic	Detonate files through one or more active integrations that support file detonation. Supported integrations: SecneurX Analysis ANY.RUN McAfee Advanced Threat Defense WildFire Lastline Cuckoo Sandbox Cisco Secure Malware Analytics (ThreatGrid) JoeSecurity CrowdStrike Falcon Sandbox FireEye AX VMRay Analyzer Polygon CrowdStrike Falcon Intelligence Sandbox OPSWAT Filescan.
Unisolate Endpoint - Generic	This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations: Carbon Black Response Cortex XDR Crowdstrike Falcon FireEye HX Cybereason Microsoft Defender For Endpoint.
IP Enrichment - Internal - Generic v2	Enrich Internal IP addresses using one or more integrations. Resolve IP address to hostname (DNS) Separate internal and external IP addresses Get host information for IP addresses.
Endpoint Enrichment - Generic v2.1	Enrich an endpoint by hostname using one or more integrations. Supported integrations: Active Directory Query v2 McAfee ePO v2 VMware Carbon Black EDR v2 Cylance Protect v2 CrowdStrike Falcon ExtraHop Reveal(x) Cortex XDR / Core (endpoint enrichment, reputation and risk) Endpoint reputation using !endpoint command.
DBot Indicator Enrichment - Generic	Get indicators internal Dbot score
Cloud User Investigation - Generic	This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
Get Email From Email Gateway - Generic	This playbook retrieves a specified EML/MSG file directly from the email security gateway product.
IP Enrichment - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Determine IP address reputation using the !ip command Separate internal and external IP addresses For internal IP addresses, get host information. When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance.
Domain Enrichment - Generic v2	Enrich domains using one or more integrations. Domain enrichment includes: Threat information Domain reputation using !domain command
Get Cloud Account Owner - Generic	Retrieves the owners of a cloud account based on account ID. Current supported platforms: GCP Prisma Cloud.
Cloud Credentials Rotation - Generic	Cloud Credentials Rotation - Generic This comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-Playbook In order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook: AWS - IAM: Used to manage AWS Identity and Access Management. AWS - EC2: Essential for managing Amazon Elastic Compute Cloud (EC2) instances. GCP Sub-Playbook: Google Workspace Admin: Manages users, groups, and other entities within Google Workspace. GCP-IAM: Ensures management and control of GCP's Identity and Access Management. Azure Sub-Playbook: Microsoft Graph Users: Manages users and related entities in Microsoft Graph. Microsoft Graph Applications: Manages applications within Microsoft Graph.
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: Splunk Qradar Pan-os Cortex Data Lake Autofocus Microsoft 365 Defender
Calculate Severity - Generic v2	Calculate and assign the incident severity based on the highest returned severity level from the following calculations: DBotScores of indicators Critical assets Email authenticity Current incident severity Microsoft Headers Risky users (XDR) Risky hosts (XDR).
Retrieve File from Endpoint - Generic V3	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Send Investigation Summary Reports Job	You should run this playbook as a scheduled job, whicn should run at an interval of once every 15 minutes. This playbook functions by calling the sub-playbook: "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. If you want to run the playbook more frequently, you should adjust the search query of the child playbook: "Send Investigation Summary". Reports.
IP Enrichment - External - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS). Provide threat information. IP address reputation using !ip command. Separate internal and external addresses.
Retrieve File from Endpoint - Generic	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. This playbook retrieves a file sample from an endpoint using the following playbooks: Get File Sample From Path - Generic Get File Sample By Hash - Generic v2
Search Endpoint by CVE - Generic	Hunt for assets with a given CVE using available tools
Search And Delete Emails - Generic	Deprecated. Use `Search And Delete Emails - Generic v2` instead. This playbook searches and delete emails with similar attributes of a malicious email.
Block Account - Generic v2	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher. SailPoint PingOne AWS IAM Clarizen IAM Envoy IAM ExceedLMS IAM Okta Microsoft Graph User (Azure Active Directory Users) Google Workspace Admin Slack IAM ServiceNow IAM Prisma Cloud IAM Zoom IAM Atlassian IAM GitHub IAM.
Cloud Response - Generic	This playbook provides response playbooks for: AWS Azure GCP The response actions available are: Terminate/Shut down/Power off an instance Delete/Disable a user Delete/Revoke/Disable credentials Block indicators
Calculate Severity - 3rd-party integrations	Calculates the incident severity level according to the methodology of a 3rd-party integration.
Search Endpoints By Hash - Generic V2	Hunt using available tools
Block URL - Generic	Deprecated. Use 'Block URL - Generic v2' instead.
GenericPolling	Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: Initiate the operation. Poll to check if the operation completed. (optional) Get the results of the operation. NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option.
Retrieve File from Endpoint - Generic V2	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. 'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Cloud IAM Enrichment - Generic	This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).
Get File Sample From Path - Generic	Deprecated. Use `Get File Sample From Path - Generic V3` instead. Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Block Domain - Generic	Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response
Send Investigation Summary Reports	This playbook iterates over closed incidents, generates a summary report for each closed incident, and emails the reports to specified users.
Detonate URL - Generic	Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation.
Calculate Severity - Critical Assets v2	Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups.
Extract Indicators From File - Generic v2	This playbook extracts indicators from a file. Supported file types: CSV PDF TXT HTM, HTML DOC, DOCX PPT PPTX RTF XLS XLSX XML XLSM DOCM PPTM DOTM XLSB DOT PPSM. The playbook does not support encrypted / password-protected files such as XLSB. Such files will be skipped.
User Investigation - Generic	This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: -Okta -Splunk -QRadar -Azure Log Analytics -PAN-OS -XDR / Core By Palo Alto Networks.
Search And Block Software - Generic	This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block. The following integrations are supported: Cortex XDR XQL Engine Microsoft Defender For Endpoint
Block Indicators - Generic v3	This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic v2 Block Account - Generic v2 Block IP - Generic v3 Block File - Generic v2 Block Email - Generic v2 Block Domain - Generic v2.
Entity Enrichment - Generic v3	Enrich entities using one or more integrations.
Unzip File	This playbook checks whether a file has an extension that supports unzipping, and unzips the file.
Detonate and Analyze File - Generic	This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: Active Directory Microsoft Graph User SailPoint IdentityNow SailPoint IdentityIQ PingOne Okta AWS IAM Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
Block URL - Generic v2	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks PAN-OS Zscaler Sophos Forcepoint Checkpoint Netcraft.
Cloud Compute Enrichment - Generic	This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources.
Dedup - Generic v2	Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.
Block Email - Generic v2	This playbook will block emails at your mail relay integration. Supported integrations for this playbook: Mimecast FireEye Email Security (EX) Cisco Email Security Symantec Email Security
Search And Delete Emails - Generic v2	This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense.
Get File Sample From Path - Generic V3	This playbook returns a file sample from a specified path and host that you input in the following playbooks: PS Remote Get File Sample From Path Get File Sample From Path - VMware Carbon Black EDR (Live Response API) CrowdStrike Falcon - Retrieve File MDE - Retrieve File Cortex XDR - Retrieve File V2
Dedup - Generic v3	Deprecated. Use the `Dedup - Generic v4` playbook instead. This playbook identifies duplicate incidents using one of the supported methods. Select one of the following methods to identify duplicate incidents in Cortex XSOAR. ml: Machine learning model, which is trained mostly on phishing incidents. -rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing incidents. For each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident.
Cloud Enrichment - Generic	Generic Cloud Enrichment Playbook The Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks Cloud IAM Enrichment - Generic Enriches information related to Identity and Access Management (IAM) in the cloud. Cloud Compute Enrichment - Generic Enriches information related to cloud compute resources. The playbook supports a single CSP enrichment at a time.
Wait Until Datetime	Pauses execution until the date and time that was specified in the plabyook input is reached.
Convert file hash to corresponding hashes	The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations.
Get File Sample By Hash - Generic v3	This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. Get the threat (file) associated with a specific SHA256 hash - Cylance Protect v2. Get the file associated with a specific MD5 or SHA256 hash - Code42.
File Enrichment - Generic v2	Enrich a file using one or more integrations. Provide threat information Determine file reputation using the !file command
Get File Sample - Generic	Retrieves files from endpoints by the file hash or the file path.
Command-Line Analysis	This playbook takes a command line from the alert and performs the following actions: Checks for base64 string and decodes if exists Extracts and enriches indicators from the command line Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: Indicators found in the command line Found AMSI techniques Found suspicious parameters Usage of malicious tools Indication of network activity Indication of suspicious LOLBIN execution Suspicious path and arguments in the command line Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".
Block IP - Generic v3	This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing) Note the following: some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall Palo Alto Networks PAN-OS Zscaler FortiGate Aria Packet Intelligence Cisco Firepower Cisco Secure Cloud Analytics Cisco ASA Akamai WAF F5 SilverLine ThreatX Signal Sciences WAF Sophos Firewall.
Block Domain - Generic v2	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response Cisco Stealthwatch Cloud
Email Address Enrichment - Generic v2.1	Enrich email addresses. Get information from Active Directory for internal addresses Get the domain-squatting reputation for external addresses Email address reputation using !email command.
File Enrichment - File reputation	Get file reputation using one or more integrations
Calculate Severity By Highest DBotScore	Calculates the incident severity level according to the highest DBotScore.
Block File - Generic v2	This playbook is used to block files from running on endpoints. This playbook supports the following integrations: Palo Alto Networks Traps Palo Alto Networks Cortex XDR Cybereason Carbon Black Enterprise Response Cylance Protect v2 Crowdstrike Falcon Microsoft Defender for Endpoint.
Isolate Endpoint - Generic V2	This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.
Block IP - Generic v2	Deprecated. Use the `Block IP - Generic v3` playbook instead. This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler FortiGate
Search and Compare Process Executions - Generic	This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations: Cortex XDR XQL Engine Cortex XDR IR(Search executions inside XDR alerts) Microsoft Defender For Endpoint Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments
Get Original Email - Generic	Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead.
Get User Devices by Username - Generic	This playbook retrieves information on all of the associated user devices, based on the user's username. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: jamf v2 Microsoft Defender for Endpoint Cortex XDR IR ServiceNow v2 Google Workspace (Gsuite) Active Directory Query v2.
Block Indicators - Generic v2	Deprecated. Use the `Block Indicators - Generic V3` playbook instead. This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic Block Account - Generic Block IP - Generic v2 Block File - Generic v2 Block Email - Generic Block Domain - Generic
Field Polling - Generic	This playbook polls a field to check if a specific value exists.
Get File Sample By Hash - Generic v2	Deprecated. Use `Get File Sample By Hash - Generic v3` instead. This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: Get File Sample By Hash - Carbon Black Enterprise Response Get File Sample By Hash - Cylance Protect v2
URL Enrichment - Generic v2	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs. Threat information. Providing of URL screenshots. URL Reputation using !url.
Block Email - Generic	Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration.
Email Headers Check - Generic	This playbook executes one sub-playbook and one automation to check the email headers: Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score). CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.
Detonate URL - Generic v1.5	Detonate URL through one or more active integrations that support URL detonation. Supported integrations: SecneurX Analysis ANY.RUN McAfee Advanced Threat Defense WildFire Lastline Cuckoo Sandbox Cisco Secure Malware Analytics (ThreatGrid) JoeSecurity CrowdStrike Falcon Sandbox FireEye AX VMRay Analyzer Polygon CrowdStrike Falcon Intelligence Sandbox OPSWAT Filescan ANYRUN VirusTotal Anomali ThreatStream Hatching Triage ThreatGrid

Playbooks

Name	Description
Search And Delete Emails - Generic	Deprecated. Use `Search And Delete Emails - Generic v2` instead. This playbook searches and delete emails with similar attributes of a malicious email.
Calculate Severity - Standard	Calculates and sets the alert severity based on the combination of the current alert severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook.
Get host forensics - Generic	This playbook retrieves forensics from hosts for the following integrations: Illusive Networks Microsoft Defender For Endpoint.
Containment Plan - Quarantine File	Containment Plan - Quarantine File This playbook is a sub-playbook within the containment plan playbook. The playbook quarantines files using core commands.
Isolate Endpoint - Generic V2	This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.
Retrieve File from Endpoint - Generic V2	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. 'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Cloud IAM Enrichment - Generic	This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).
Containment Plan - Clear User Sessions	Containment Plan - Clear User Sessions This playbook is a sub-playbook within the containment plan playbook. The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions.
IP Enrichment - External - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS). Provide threat information. IP address reputation using !ip command. Separate internal and external addresses.
Detonate URL - Generic	Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation.
Search Endpoint by CVE - Generic	Hunt for assets with a given CVE using available tools
Indicator Registration Polling - Generic	This playbook polls all indicators to check if they exist.
Dedup - Generic v2	Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate alerts using one of the supported methods.
Command-Line Analysis	This playbook takes a command line from the alert and performs the following actions: Checks for base64 string and decodes if exists Extracts and enriches indicators from the command line Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: Indicators found in the command line Found AMSI techniques Found suspicious parameters Usage of malicious tools Indication of network activity Indication of suspicious LOLBIN execution Suspicious path and arguments in the command line Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".
DBot Indicator Enrichment - Generic	Get indicators internal Dbot score
Block Email - Generic v2	This playbook will block emails at your mail relay integration. Supported integrations for this playbook: Mimecast FireEye Email Security (EX) Cisco Email Security Symantec Email Security
SIEM - Search for Failed logins	This playbook searches for failed logon on a specific user by querying logs from different sources. Supported Integrations: -Splunk -QRadar -Azure Log Analytics.
Search Endpoints By Hash - Generic V2	Hunt using available tools
File Enrichment - Generic v2	Enrich a file using one or more integrations. Provide threat information Determine file reputation using the !file command
Enrichment for Verdict	This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict.
Get User Devices - Generic	This playbook retrieves information on all of the associated user devices. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. In order to get the full list of supported integrations, read the following sub-playbooks descriptions: Get User Devices by Username - Generic Get User Devices by Email Address - Generic
IP Enrichment - Generic v2	Enrich IP addresses using one or more integrations. Resolve IP addresses to hostnames (DNS) Provide threat information Determine IP address reputation using the !ip command Separate internal and external IP addresses For internal IP addresses, get host information. When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance.
Search And Delete Emails - Generic v2	This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense.
Containment Plan - Disable Account	Containment Plan - Disable Account This playbook is a sub-playbook within the containment plan playbook. The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2"
Block IP - Generic v2	Deprecated. Use the `Block IP - Generic v3` playbook instead. This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: Check Point Firewall Palo Alto Networks Minemeld Palo Alto Networks PAN-OS Zscaler FortiGate
Get prevalence for IOCs	The playbook queries the analytics module to receive the prevalence of an IOC. Supported IOC: Process by SHA256 Process by file name IP Domain CMD Registry (require key and value)
Eradication Plan	This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks: Eradication Plan - Reset user password Eradication Plan - Delete file Eradication Plan - Kill process (currently, the playbook supports terminating a process by name) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
Cloud Compute Enrichment - Generic	This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources.
Search and Compare Process Executions - Generic	This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations: Cortex XDR XQL Engine Cortex XDR IR(Search executions inside XDR alerts) Microsoft Defender For Endpoint Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments
File Enrichment - File reputation	Get file reputation using one or more integrations
Block Indicators - Generic v3	This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic v2 Block Account - Generic v2 Block IP - Generic v3 Block File - Generic v2 Block Email - Generic v2 Block Domain - Generic v2.
Field Polling - Generic	This playbook polls a field to check if a specific value exists.
Get Cloud Account Owner - Generic	Retrieves the owners of a cloud account based on account ID. Current supported platforms: GCP Prisma Cloud.
User Investigation - Generic	This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls. Supported Integrations: -Okta -Splunk -QRadar -Azure Log Analytics -PAN-OS -XDR / Core By Palo Alto Networks.
IP Enrichment - Internal - Generic v2	Enrich Internal IP addresses using one or more integrations. Resolve IP address to hostname (DNS) Separate internal and external IP addresses Get host information for IP addresses.
Block URL - Generic v2	This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: Palo Alto Networks PAN-OS Zscaler Sophos Forcepoint Checkpoint Netcraft.
Wait Until Datetime	Pauses execution until the date and time that was specified in the plabyook input is reached.
Block Domain - Generic	Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response
Endpoint Enrichment - Generic v2.1	Enrich an endpoint by hostname using one or more integrations. Supported integrations: Active Directory Query v2 McAfee ePO v2 VMware Carbon Black EDR v2 Cylance Protect v2 CrowdStrike Falcon ExtraHop Reveal(x) Cortex XDR / Core (endpoint enrichment, reputation and risk) Endpoint reputation using !endpoint command.
Calculate Severity - Critical Assets v2	Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups.
Dedup - Generic v3	Deprecated. Use the `Dedup - Generic v4` playbook instead. This playbook identifies duplicate alerts using one of the supported methods. Select one of the following methods to identify duplicate alerts in Cortex. ml: Machine learning model, which is trained mostly on phishing alerts. -rules: Rules help identify duplicate alerts when the logic is well defined, for example, the same label or custom fields. -text: Statistics algorithm that compares text, which is generally useful for phishing alerts. For each method, the playbook will search for the oldest similar alert. when there is a match for a similar alert the playbook will close the current alert and will link it to the older alert.
Block Indicators - Generic v2	Deprecated. Use the `Block Indicators - Generic V3` playbook instead. This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: Block URL - Generic Block Account - Generic Block IP - Generic v2 Block File - Generic v2 Block Email - Generic Block Domain - Generic
Cloud Response - Generic	This playbook provides response playbooks for: AWS Azure GCP The response actions available are: Terminate/Shut down/Power off an instance Delete/Disable a user Delete/Revoke/Disable credentials Block indicators
Eradication Plan - Delete File	This playbook is one of the sub-playbooks in the eradication plan. This playbook executes actions of file deletion, which is a crucial step in the eradication process.
Threat Hunting - Generic	This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations: Splunk Qradar Pan-os Cortex Data Lake Autofocus Microsoft 365 Defender
Entity Enrichment - Generic v2	Enrich entities using one or more integrations
Get Original Email - Generic	Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead.
Retrieve File from Endpoint - Generic V3	'This playbook retrieves a file sample from an endpoint using the following playbooks:' Get File Sample From Path - Generic v2. Get File Sample By Hash - Generic v3.
Containment Plan - Block Indicators	Containment Plan - Block Indicators This playbook is a sub-playbook within the containment plan playbook. Indicator Blocking The playbook block indicators by two methods: It adds the malicious hashes into the XSIAM hash block list It utilizes the sub-playbook "Block Indicators - Generic v3"
CVE Enrichment - Generic v2	This playbook performs CVE Enrichment using the following integrations: VulnDB CVE Search IBM X-Force Exchange
Get File Sample By Hash - Generic v3	This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks: Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2. Get the threat (file) associated with a specific SHA256 hash - Cylance Protect v2. Get the file associated with a specific MD5 or SHA256 hash - Code42.
Unzip File	This playbook checks whether a file has an extension that supports unzipping, and unzips the file.
Isolate Endpoint - Generic	Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead.
Calculate Severity - 3rd-party integrations	Calculates the alert severity level according to the methodology of a 3rd-party integration.
GenericPolling	Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete. This playbook implements polling by continuously running the command in Step #2 until the operation completes. The remote action should have the following structure: Initiate the operation. Poll to check if the operation completed. (optional) Get the results of the operation. NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option.
Domain Enrichment - Generic v2	Enrich domains using one or more integrations. Domain enrichment includes: Threat information Domain reputation using !domain command
Block Domain - Generic v2	This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: Zscaler Symantec Messaging Gateway FireEye EX Trend Micro Apex One Proofpoint Threat Response Cisco Stealthwatch Cloud
Calculate Severity - Generic v2	Calculate and assign the alert severity based on the highest returned severity level from the following calculations: DBotScores of indicators Critical assets Email authenticity Current alert severity Microsoft Headers Risky users (XDR) Risky hosts (XDR).
Dedup - Generic v4	This playbook identifies duplicate alerts using the Cortex machine learning method (script). In this playbook, you can choose fields and/or indicators to be compared against other alerts in the Cortex database. Note: To identify similar alerts you must properly define the playbook inputs.
File Reputation	This playbook checks the file reputation and sets the verdict as a new context key. The verdict is composed by 3 main components: VirusTotal detection rate Digital certificate signers NSRL DB Note: a user can provide a list of trusted signers of his own using the playbook inputs
Block Account - Generic	Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher.
Cloud User Investigation - Generic	This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.
Endpoint Investigation Plan	This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the alert: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Email Address Enrichment - Generic v2.1	Enrich email addresses. Get information from Active Directory for internal addresses Get the domain-squatting reputation for external addresses Email address reputation using !email command.
URL Enrichment - Generic v2	Enrich URLs using one or more integrations. URL enrichment includes: SSL verification for URLs. Threat information. Providing of URL screenshots. URL Reputation using !url.
Get User Devices by Email Address - Generic	This playbook retrieves information on all of the associated user devices, based on the user email. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: jamf v2 Google Workspace (Gsuite) ServiceNow v2 Active Directory Query v2 Microsoft Graph API (In order to get devices details, provide the permissions as mentioned here: https://learn.microsoft.com/en-us/graph/api/user-list-owneddevices?view=graph-rest-1.0&tabs=http )
Send Investigation Summary Reports	This playbook iterates over closed alerts, generates a summary report for each closed alert, and emails the reports to specified users.
Convert file hash to corresponding hashes	The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations.
Entity Enrichment - Generic v3	Enrich entities using one or more integrations.
Block File - Generic v2	This playbook is used to block files from running on endpoints. This playbook supports the following integrations: Palo Alto Networks Traps Palo Alto Networks Cortex XDR Cybereason Carbon Black Enterprise Response Cylance Protect v2 Crowdstrike Falcon Microsoft Defender for Endpoint.
Block IP - Generic v3	This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing) Note the following: some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall Palo Alto Networks PAN-OS Zscaler FortiGate Aria Packet Intelligence Cisco Firepower Cisco Secure Cloud Analytics Cisco ASA Akamai WAF F5 SilverLine ThreatX Signal Sciences WAF Sophos Firewall.
Search And Block Software - Generic	This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block. The following integrations are supported: Cortex XDR XQL Engine Microsoft Defender For Endpoint
Unisolate Endpoint - Generic	This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook. It currently supports the following integrations: Carbon Black Response Cortex XDR Crowdstrike Falcon FireEye HX Cybereason Microsoft Defender For Endpoint.
Ticket Management - Generic	`Ticket Management - Generic` allows you to open new tickets or update comments to the existing ticket in the following ticketing systems: -ServiceNow -Zendesk using the following sub-playbooks: -`ServiceNow - Ticket Management` -`Zendesk - Ticket Management`
Get Email From Email Gateway - Generic	This playbook retrieves a specified EML/MSG file directly from the email security gateway product.
Block Account - Generic v2	This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: Active Directory PAN-OS - This requires PAN-OS 9.1 or higher. SailPoint PingOne AWS IAM Clarizen IAM Envoy IAM ExceedLMS IAM Okta Microsoft Graph User (Azure Active Directory Users) Google Workspace Admin Slack IAM ServiceNow IAM Prisma Cloud IAM Zoom IAM Atlassian IAM GitHub IAM.
Cloud Credentials Rotation - Generic	Cloud Credentials Rotation - Generic This comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response. The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments. Integrations for Each Sub-Playbook In order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook: AWS Sub-Playbook: AWS - IAM: Used to manage AWS Identity and Access Management. AWS - EC2: Essential for managing Amazon Elastic Compute Cloud (EC2) instances. GCP Sub-Playbook: Google Workspace Admin: Manages users, groups, and other entities within Google Workspace. GCP-IAM: Ensures management and control of GCP's Identity and Access Management. Azure Sub-Playbook: Microsoft Graph Users: Manages users and related entities in Microsoft Graph. Microsoft Graph Applications: Manages applications within Microsoft Graph.
Calculate Severity By Highest DBotScore	Calculates the alert severity level according to the highest DBotScore.
Get File Sample - Generic	Retrieves files from endpoints by the file hash or the file path.
Eradication Plan - Terminate Process	This playbook is one of the sub-playbooks in the eradication plan. This playbook handles the termination of the processes as a crucial step in the eradication action. The playbook executes actions of process termination, which is a crucial step in the eradication process. The process termination can be performed based on either the process ID or the process name.
Detonate File - Generic	Detonate files through one or more active integrations that support file detonation. Supported integrations: SecneurX Analysis ANY.RUN McAfee Advanced Threat Defense WildFire Lastline Cuckoo Sandbox Cisco Secure Malware Analytics (ThreatGrid) JoeSecurity CrowdStrike Falcon Sandbox FireEye AX VMRay Analyzer Polygon CrowdStrike Falcon Intelligence Sandbox OPSWAT Filescan.
Containment Plan - Isolate Device	Containment Plan - Isolate Device This playbook is a sub-playbook within the containment plan playbook. The playbook isolates devices using core commands.
Get User Devices by Username - Generic	This playbook retrieves information on all of the associated user devices, based on the user's username. In order to get a generic output, the following information on all of the retrieved devices will be saved under the `UserDevices` context key: Name Serial Number ID Model MAC Address OS Integration Note that not all of the supported integrations will be able to retrieve this information. Supported integrations: jamf v2 Microsoft Defender for Endpoint Cortex XDR IR ServiceNow v2 Google Workspace (Gsuite) Active Directory Query v2.
Retrieve File from Endpoint - Generic	Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. This playbook retrieves a file sample from an endpoint using the following playbooks: Get File Sample From Path - Generic Get File Sample By Hash - Generic v2
Account Enrichment - Generic v2.1	Enrich accounts using one or more integrations. Supported integrations: Active Directory Microsoft Graph User SailPoint IdentityNow SailPoint IdentityIQ PingOne Okta AWS IAM Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
Context Polling - Generic	This playbook polls a context key to check if a specific value exists.
Email Headers Check - Generic	This playbook executes one sub-playbook and one automation to check the email headers: Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant alert fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score). CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.
Get endpoint details - Generic	Deprecated. Use the `Endpoint Enrichment - Generic v2.1` playbook instead. This playbook uses the generic command !endpoint to retrieve details on a specific endpoint. This command currently supports the following integrations: Palo Alto Networks Cortex XDR - Investigation and Response. CrowdStrike Falcon.
Detonate URL - Generic v1.5	Detonate URL through one or more active integrations that support URL detonation. Supported integrations: SecneurX Analysis ANY.RUN McAfee Advanced Threat Defense WildFire Lastline Cuckoo Sandbox Cisco Secure Malware Analytics (ThreatGrid) JoeSecurity CrowdStrike Falcon Sandbox FireEye AX VMRay Analyzer Polygon CrowdStrike Falcon Intelligence Sandbox OPSWAT Filescan ANYRUN VirusTotal Anomali ThreatStream Hatching Triage ThreatGrid
Eradication Plan - Reset Password	This playbook is one of the sub-playbooks in the eradication plan. The playbook executes actions to reset the user's passwords, which is a crucial step in the eradication process.
Get File Sample From Path - Generic V2	Deprecated. Use `Get File Sample From Path - Generic V3` instead. This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks: inputs: 1) Get File Sample From Path - D2. 2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
Handle False Positive Alerts	This playbook handles false positive alerts. It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.
Get File Sample From Path - Generic	Deprecated. Use `Get File Sample From Path - Generic V3` instead. Returns a file sample to the war-room from a path on an endpoint using one or more integrations inputs: UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)
Cloud Enrichment - Generic	Generic Cloud Enrichment Playbook The Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. Supported Blocks Cloud IAM Enrichment - Generic Enriches information related to Identity and Access Management (IAM) in the cloud. Cloud Compute Enrichment - Generic Enriches information related to cloud compute resources. The playbook supports a single CSP enrichment at a time.
Block Email - Generic	Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration.
Detonate and Analyze File - Generic	This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.
Calculate Severity - Indicators DBotScore	Calculates the alert severity level according to the highest indicator DBotScore.
Recovery Plan	This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks: Unisolate endpoint Restore quarantined file Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Containment Plan	This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks: Containment Plan - Isolate endpoint Containment Plan - Disable account Containment Plan - Quarantine file Containment Plan - Block indicators Containment Plan - Clear user session (currently, the playbook supports only Okta) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
Block URL - Generic	Deprecated. Use 'Block URL - Generic v2' instead.
Get File Sample By Hash - Generic v2	Deprecated. Use `Get File Sample By Hash - Generic v3` instead. This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks: Get File Sample By Hash - Carbon Black Enterprise Response Get File Sample By Hash - Cylance Protect v2
Get File Sample From Path - Generic V3	This playbook returns a file sample from a specified path and host that you input in the following playbooks: PS Remote Get File Sample From Path Get File Sample From Path - VMware Carbon Black EDR (Live Response API) CrowdStrike Falcon - Retrieve File MDE - Retrieve File Cortex XDR - Retrieve File V2
Extract Indicators From File - Generic v2	This playbook extracts indicators from a file. Supported file types: CSV PDF TXT HTM, HTML DOC, DOCX PPT PPTX RTF XLS XLSX XML XLSM DOCM PPTM DOTM XLSB DOT PPSM. The playbook does not support encrypted / password-protected files such as XLSB. Such files will be skipped.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Optional Content Packs (97)

Pack Name	Pack By
ANY.RUN	By: Cortex XSOAR
ARIAPacketIntelligence	By: ARIA Cybersecurity Solutions
AWS - EC2	By: Cortex XSOAR
AWS Enrichment and Remediation	By: Cortex XSOAR
AWS - IAM	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
Agari Phishing Defense	By: Agari
Akamai WAF	By: Cortex XSOAR
Anomali ThreatStream	By: Cortex XSOAR
Azure Enrichment and Remediation	By: Cortex XSOAR
Azure Compute	By: Cortex XSOAR
Azure Log Analytics	By: Cortex XSOAR
Carbon Black Enterprise Protection	By: Cortex XSOAR
Carbon Black Enterprise Live Response	By: Cortex XSOAR
Carbon Black Enterprise Response	By: Cortex XSOAR
Check Point Firewall	By: Cortex XSOAR
Cisco Umbrella Investigate	By: Cortex XSOAR
Cisco ASA	By: Cortex XSOAR
Cisco Firepower	By: Cortex XSOAR
CiscoSMA	By: Cortex XSOAR
Cisco Secure Network Analytics (Stealthwatch)	By: Cortex XSOAR
Code42	By: Code42
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
CrowdStrike Falcon	By: Cortex XSOAR
CrowdStrike Falcon Sandbox	By: Cortex XSOAR
CrowdStrike Falcon Intelligence Sandbox	By: Cortex XSOAR
Cuckoo Sandbox	By: Cortex XSOAR
Cybereason	By: Cybereason
Cylance Protect	By: Cortex XSOAR
Generic Export Indicators Service	By: Cortex XSOAR
ExtraHop Reveal(x)	By: ExtraHop
F5 Silverline	By: Cortex XSOAR
LOLBAS Feed	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
FireEye Email Security (EX)	By: Cortex XSOAR
FireEye HX	By: Cortex XSOAR
Forcepoint Web Security	By: Cortex XSOAR
FortiGate	By: Cortex XSOAR
GCP Enrichment and Remediation	By: Cortex XSOAR
GCP IAM	By: Cortex XSOAR
G Suite Admin	By: Cortex XSOAR
Gmail	By: Cortex XSOAR
Google Cloud Compute	By: Cortex XSOAR
Hatching Triage	By: Hatching
Illusive Networks	By: Illusive Networks
Image OCR	By: Cortex XSOAR
Joe Security	By: Cortex XSOAR
Kenna	By: Cortex XSOAR
Lastline	By: Cortex XSOAR
McAfee Threat Intelligence Exchange	By: Cortex XSOAR
McAfee Advanced Threat Defense	By: Cortex XSOAR
Microsoft 365 Defender	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Microsoft Exchange On-Premise	By: Cortex XSOAR
Microsoft Exchange Online	By: Cortex XSOAR
Microsoft Graph API	By: Cortex XSOAR
Microsoft Graph Groups	By: Cortex XSOAR
Microsoft Graph Identity and Access	By: Cortex XSOAR
Microsoft Graph User	By: Cortex XSOAR
Mimecast	By: Cortex XSOAR
Netcraft	By: Cortex XSOAR
MetaDefender Sandbox	By: OPSWAT
Oletools	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
WildFire by Palo Alto Networks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
PingIdentity	By: Ping Identity
Polygon	By: Group-IB
Palo Alto Networks - Strata Cloud Manager	By: Cortex XSOAR
Proofpoint Protection Server	By: Cortex XSOAR
Proofpoint Threat Response	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
RiskSense	By: RiskSense
SailPoint IdentityIQ	By: SailPoint
SailPoint IdentityNow	By: SailPoint
SecneurX Analysis	By: SecneurX Technologies
Signal Sciences WAF	By: Cortex XSOAR
Sophos XG Firewall	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Cisco Secure Cloud Analytics (Stealthwatch Cloud)	By: Cortex XSOAR
Symantec Messaging Gateway	By: Cortex XSOAR
Cisco Secure Malware Analytics	By: Cortex XSOAR
ThreatX	By: Cortex XSOAR
Threat Crowd (Deprecated)	By: Cortex XSOAR
Trend Micro Apex One	By: Cortex XSOAR
VMRay Analyzer	By: VMRay
VirusTotal	By: VirusTotal
VulnDB	By: Cortex XSOAR
Windows Forensics	By: Cortex XSOAR
IBM X-Force Exchange	By: Cortex XSOAR
Zendesk	By: Cortex XSOAR
Zscaler Internet Access	By: Cortex XSOAR
McAfee ePO	By: Cortex XSOAR
FireEye (AX Series)	By: Cortex XSOAR
Jamf	By: Cortex XSOAR

All level dependencies (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

2.6.55 - 2988287 (March 26, 2025)

Playbooks

GenericPolling

Improved documentation.

Related pull requests:
- 39250

Download

2.6.54 - 2959694 (March 23, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39129

Download

2.6.53 - 2901908 (March 18, 2025)

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

2.6.52 - 2569286 (February 26, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 38550

Download

2.6.51 - 2480529 (February 17, 2025)

Playbooks

Extract Indicators From File - Generic v2

Updated the Extract Indicators From File - Generic v2 playbook to ignore extraction when encountering an encrypted PDF file.

Related pull requests:
- 38649

Download

2.6.50 - 2040490 (January 22, 2025)

Playbooks

Block URL - Generic v2

Fixed an issue where PAN-OS - Block URL failed by adding the type parameter.

Related pull requests:
- 38205
- 38260

Download

2.6.49 - 1915967 (January 2, 2025)

Playbooks

Detonate File - Generic

Removed timeout input for WildFire - Detonate file v2 task, the playbook's default configuration will be used instead.

Related pull requests:
- 37907

Download

2.6.48 - 1855875 (December 23, 2024)

Playbooks

Get User Devices - Generic

Documentation and metadata improvements.

Search And Block Software - Generic

Documentation and metadata improvements.

User Investigation - Generic

Documentation and metadata improvements.

Get User Devices by Email Address - Generic

Documentation and metadata improvements.

Block Account - Generic v2

Documentation and metadata improvements.

Command-Line Analysis

Documentation and metadata improvements.

Get Cloud Account Owner - Generic

Documentation and metadata improvements.

Account Enrichment - Generic v2.1

Documentation and metadata improvements.

Get User Devices by Username - Generic

Documentation and metadata improvements.

Related pull requests:
- 37696

Download

2.6.47 - R1738579 (December 2, 2024)

Playbooks

Command-Line Analysis

Added new tasks to check for suspicious paths and arguments in the command line. The results will be added to the 'CommandlineVerdict' output under the 'CommandlineVerdict.SuspiciousCmdPathAndArguments' key and will influence the overall verdict.

Related pull requests:
- 37029

Download

2.6.46 - 1569341 (October 30, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36959

Download

2.6.45 - 1559973 (October 29, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36879

Download

2.6.44 - 1537605 (October 22, 2024)

Playbooks

Block Indicators - Generic v3

Fixes the 'AutoBlockIndicators' input description.

Related pull requests:
- 36796

Download

2.6.43 - 1477969 (October 8, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the file conversion tasks attempted to convert a doc/docx file although these files are not supposed to be converted.

Related pull requests:
- 36573

Download

2.6.42 - 1434344 (September 25, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the ReadQRCode task failed when a gif file was given.

Related pull requests:
- 36500

Download

2.6.41 - 1423289 (September 23, 2024)

Playbooks

SIEM - Search for Failed logins

Updated the Azure Log Analytics query to support special characters.

Related pull requests:
- 36422

Download

2.6.40 - 1417991 (September 22, 2024)

Playbooks

Account Enrichment - Generic v2.1

Updated the 'IAM Get User - Without specifying a domain' condition by adding a transformer to support numeric usernames.

Related pull requests:
- 36406

Download

2.6.39 - 1355606 (September 8, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the file conversion tasks attempted to convert password-protected XLSB files which resulted in an error.

Related pull requests:
- 36010

Download

2.6.38 - 1320807 (August 28, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36020

Download

2.6.37 - 1230534 (July 31, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 35697

Download

2.6.36 - 1218660 (July 28, 2024)

Playbooks

Detonate URL - Generic

Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-url command instead of the deprecated opswat-filescan-scan-url command.

Detonate File - Generic

Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-file command instead of the deprecated opswat-filescan-scan-file command.

Related pull requests:
- 35595

Download

2.6.35 - 1170213 (July 11, 2024)

Playbooks

Search For Hash In Sandbox - Generic

Added a task that checks whether reports associated with the searched hashes are available in the Falcon Intelligence Sandbox before executing the 'Get full report from Falcon Intelligence Sandbox' task.

Related pull requests:
- 35354

Download

2.6.34 - 1147658 (July 4, 2024)

Playbooks

Block IP - Generic v3

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Block Account - Generic v2

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Block URL - Generic v2

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Related pull requests:
- 35133

Download

2.6.33 - 1082615 (June 10, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

2.6.32 - 1000160 (May 7, 2024)

Playbooks

Search And Delete Emails - Generic v2

Added the ability to search for emails for the last 7 days by default in O365.

Related pull requests:
- 34206
- 34043

Download

2.6.31 - 998827 (May 6, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

2.6.30 - R995825 (May 5, 2024)

Playbooks

URL Enrichment - Generic v2

Fixed an issue when the URL input was an empty string.

Related pull requests:
- 34086
- 34113

Download

2.6.29 - 951066 (April 11, 2024)

Playbooks

Cloud Response - Generic

Added the source IP address to block for 'Cloud Response - AWS' and 'Cloud Response - Azure' playbooks.

Related pull requests:
- 33781

Download

2.6.28 - 938811 (April 7, 2024)

Playbooks

Search For Hash In Sandbox - Generic

Fixed an issue where a CrowdStrike report was retrieved only for a single SH256 file instead of for multiple SH256 files.

Extract Indicators From File - Generic v2

Added the ability to extract hyperlinks from Office files (supporting .xlsx,.pptx,.docx).

Related pull requests:
- 33634

Download

2.6.26 - 911958 (March 25, 2024)

Playbooks

Extract Indicators From File - Generic v2

Updated the unescape_url argument of the *ReadPDFFileV2 script to true.

Related pull requests:
- 33258

Download

2.6.25 - 911181 (March 24, 2024)

Playbooks

Cloud Response - Generic

Added an option to select the cloud provider.
Added new Playbook Inputs: GCPprojectID, accountType, sourceIP.

Related pull requests:
- 33122

Download

2.6.24 - 904622 (March 20, 2024)

Playbooks

Block Account - Generic v2

Added new tasks to verify the existence of the user for both the Microsoft Active Directory integration and Microsoft Graph User integration.

Related pull requests:
- 33395

Download

2.6.23 - 897231 (March 18, 2024)

Playbooks

Entity Enrichment - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - External - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - Internal - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Threat Hunting - Generic

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Entity Enrichment - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Block IP - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Block Indicators - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

2.6.22 - 893615 (March 16, 2024)

Playbooks

Threat Hunting - Generic

Updated the playbook description.

Command-Line Analysis

Updated the playbook description.

File Enrichment - Generic v2

Updated the playbook description.

Account Enrichment - Generic v2.1

Updated the playbook description.

IP Enrichment - Generic v2

Updated the playbook description.

User Investigation - Generic

Updated the playbook description.

Related pull requests:
- 32867

Download

2.6.21 - 883873 (March 11, 2024)

Playbooks

GenericPolling

Added the ExtractMode argument to propagating auto-extract to subsequent executions of the command.

Related pull requests:
- 33146

Download

2.6.20 - 882064 (March 11, 2024)

Playbooks

Email Address Enrichment - Generic v2.1

Added an enrichment task using EWS for retrieving a primary email address.

Related pull requests:
- 33129

Download

2.6.19 - 881200 (March 10, 2024)

Playbooks

Entity Enrichment - Generic v3

Added a new playbook input for providing the user's domain name for the account enrichment sub-playbook.

Related pull requests:
- 33291

Download

2.6.17 - 876540 (March 7, 2024)

Playbooks

Extract Indicators From File - Generic v2

Added the ability to extract text from QR code images.

Related pull requests:
- 33235

Download

2.6.16 - 871927 (March 6, 2024)

Playbooks

Block Email - Generic v2

Removed the command netcraft-report-attack. This command has been deprecated and has reached its end-of-life (EOL) date.
The playbook will use the command netcraft-attack-report instead.

Block URL - Generic v2

Removed the command cisco-email-security-list-entry-add. This command has been deprecated and has reached its end-of-life (EOL) date.
The playbook will use the command cisco-sma-list-entry-append from the integration 'CiscoSMA' instead.

Related pull requests:
- 33126

Download

2.6.15 - 854016 (February 26, 2024)

Playbooks

Extract Indicators From File - Generic v2

Added a new filter for json file.

Related pull requests:
- 33100

Download

2.6.14 - 851225 (February 25, 2024)

Playbooks

Convert file hash to corresponding hashes

Added local search for hashes in Cortex XSOAR before the enrichment.

Related pull requests:
- 33001

Download

2.6.13 - 828628 (February 14, 2024)

Playbooks

Unisolate Endpoint - Generic

Added IP input to support unisolation by the host's IP address.

Related pull requests:
- 32873

Download

2.6.12 - 823153 (February 12, 2024)

Playbooks

Detonate URL - Generic v1.5

Fixed an issue where Detonate URL - ThreatGrid v2 sub playbook should be skipped when unavailable and the default values of Interval and Timeout inputs was raised.

Command-Line Analysis

Removed non-required Append transformer in the extractIndicators task.
Added a "RemoveEmpty" transformer in the "Set original commandline" task.

Related pull requests:
- 32828

Download

2.6.10 - 819156 (February 11, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32007

Download

2.6.9 - 811489 (February 7, 2024)

Playbooks

Entity Enrichment - Generic v3

Added the 'UseReputationCommand' which is being used in the sub-playbooks as an input.

Related pull requests:
- 32703

Download

2.6.8 - 807749 (February 5, 2024)

Playbooks

Command-Line Analysis

Added a transformer for remove empty values in the extractIndicators task.

Related pull requests:
- 32706

Download

2.6.7 - 801044 (February 2, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32513

Download

2.6.6 - 781077 (January 23, 2024)

Playbooks

Block Indicators - Generic v3

Fixed the "Set indicators to block" task bug that causing errors.

Detonate URL - Generic v1.5

Removed the duplicated playbook of the 'Detonate Url - WildFire'.
Added detonation with JoeSecurity vendor.
Removed the unnecessary section header of the "Detonate URL - VirusTotal (API v3)".
Removed the unnecessary condition of Check URL.

Related pull requests:
- 32333

Download

2.6.4 - 778227 (January 22, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

2.6.3 - 775948 (January 21, 2024)

Playbooks

Block Indicators - Generic v3

Updated the tasks 'Set indicators to block - Auto' and 'Set indicators to block - Manual' to remove empty values from the key IndicatorsToBlock.

Related pull requests:
- 32125

Download

2.6.2 - 774340 (January 21, 2024)

Playbooks

Get File Sample From Path - Generic V3

Added additional sub-playbooks:
- Cortex XDR - Retrieve File v2
- MDE - Retrieve File
- CrowdStrike Falcon - Retrieve File
Added outputs for extracted files and non retrieved files.

Related pull requests:
- 32035

Download

2.6.1 - 769959 (January 18, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 31904

Download

2.6.0 - 765039 (January 16, 2024)

Playbooks

Calculate Severity By Highest DBotScore

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Calculate Severity - Generic v2

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Calculate Severity - Standard

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Related pull requests:
- 32144

Download

2.5.9 - 755215 (January 10, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 32057

Download

2.6.55 - 2988287 (March 26, 2025)

Playbooks

GenericPolling

Improved documentation.

Related pull requests:
- 39250

Download

2.6.54 - 2959694 (March 23, 2025)

Playbooks

Containment Plan - Quarantine File

Updated the Containment Plan - Quarantine File playbook to use a manual task in case of an error during quarantine instead of the 'PrintErrorEntry' task.

Related pull requests:
- 39129

Download

2.6.53 - 2929110 (March 20, 2025)

Common Playbooks

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

2.6.52 - 2569286 (February 26, 2025)

Playbooks

Containment Plan

Added Containment_Plan_use_case_test use case as a test of Containment Plan playbook.

Related pull requests:
- 38550

Download

2.6.51 - 2480529 (February 17, 2025)

Playbooks

Extract Indicators From File - Generic v2

Updated the Extract Indicators From File - Generic v2 playbook to ignore extraction when encountering an encrypted PDF file.

Related pull requests:
- 38649

Download

2.6.50 - 2040490 (January 22, 2025)

Playbooks

Block URL - Generic v2

Fixed an issue where PAN-OS - Block URL failed by adding the type parameter.

Related pull requests:
- 38205
- 38260

Download

2.6.49 - 1919018 (January 3, 2025)

Playbooks

Detonate File - Generic

Removed timeout input for WildFire - Detonate file v2 task, the playbook's default configuration will be used instead.

Related pull requests:
- 37907

Download

2.6.48 - 1855875 (December 23, 2024)

Playbooks

Get User Devices - Generic

Documentation and metadata improvements.

Endpoint Investigation Plan

Documentation and metadata improvements.

Search And Block Software - Generic

Documentation and metadata improvements.

User Investigation - Generic

Documentation and metadata improvements.

Eradication Plan - Reset Password

Documentation and metadata improvements.

Containment Plan - Isolate Device

Documentation and metadata improvements.

Enrichment for Verdict

Documentation and metadata improvements.

Get User Devices by Email Address - Generic

Documentation and metadata improvements.

Block Account - Generic v2

Documentation and metadata improvements.

Command-Line Analysis

Documentation and metadata improvements.

Get Cloud Account Owner - Generic

Documentation and metadata improvements.

Account Enrichment - Generic v2.1

Documentation and metadata improvements.

Get User Devices by Username - Generic

Documentation and metadata improvements.

Containment Plan - Disable Account

Documentation and metadata improvements.

Related pull requests:
- 37696

Download

2.6.47 - R1738579 (December 2, 2024)

Playbooks

Command-Line Analysis

Related pull requests:
- 37029

Download

2.6.46 - 1569341 (October 30, 2024)

Playbooks

Containment Plan - Block Indicators

Added new tasks to verify if the file hash was added to the block list.

Related pull requests:
- 36959

Download

2.6.45 - 1559973 (October 29, 2024)

Playbooks

Endpoint Investigation Plan

Fixed an issue with the 'SearchAlertsV2' query for hunt by host ID.

Related pull requests:
- 36879

Download

2.6.44 - 1537605 (October 22, 2024)

Playbooks

Block Indicators - Generic v3

Fixes the 'AutoBlockIndicators' input description.

Related pull requests:
- 36796

Download

2.6.43 - 1477969 (October 8, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the file conversion tasks attempted to convert a doc/docx file although these files are not supposed to be converted.

Related pull requests:
- 36573

Download

2.6.42 - 1434344 (September 25, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the ReadQRCode task failed when a gif file was given.

Related pull requests:
- 36500

Download

2.6.41 - 1423289 (September 23, 2024)

Playbooks

SIEM - Search for Failed logins

Updated the Azure Log Analytics query to support special characters.

Related pull requests:
- 36422

Download

2.6.40 - 1417991 (September 22, 2024)

Playbooks

Account Enrichment - Generic v2.1

Updated the 'IAM Get User - Without specifying a domain' condition by adding a transformer to support numeric usernames.

Related pull requests:
- 36406

Download

2.6.39 - 1355606 (September 8, 2024)

Playbooks

Extract Indicators From File - Generic v2

Fixed an issue where the file conversion tasks attempted to convert password-protected XLSB files which resulted in an error.

Related pull requests:
- 36010

Download

2.6.38 - 1320807 (August 28, 2024)

Playbooks

Containment Plan - Clear User Sessions

Added new tasks to support revoking user's sessions using the MsGraphUser integration.

Related pull requests:
- 36020

Download

2.6.37 - 1230534 (July 31, 2024)

Playbooks

File Reputation

Fixed the data path for VirusTotal malicious file count.

Related pull requests:
- 35697

Download

2.6.36 - 1218660 (July 28, 2024)

Playbooks

Detonate URL - Generic

Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-url command instead of the deprecated opswat-filescan-scan-url command.

Detonate File - Generic

Updated the playbook to use the MetaDefender Sandbox metadefender-sandbox-scan-file command instead of the deprecated opswat-filescan-scan-file command.

Related pull requests:
- 35595

Download

2.6.35 - 1170213 (July 11, 2024)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 35354

Download

2.6.34 - 1147658 (July 4, 2024)

Playbooks

Block IP - Generic v3

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Block Account - Generic v2

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Block URL - Generic v2

Fixed an issue with the data collection tasks to send emails to the corresponding roles in XSIAM (Investigator) and XSOAR (Analyst).

Related pull requests:
- 35133

Download

2.6.33 - 1082615 (June 10, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

2.6.32 - 1000160 (May 7, 2024)

Playbooks

Search And Delete Emails - Generic v2

Added the ability to search for emails for the last 7 days by default in O365.

Related pull requests:
- 34206
- 34043

Download

2.6.31 - 998827 (May 6, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

2.6.30 - R995825 (May 5, 2024)

Playbooks

URL Enrichment - Generic v2

Fixed an issue when the URL input was an empty string.

Related pull requests:
- 34086
- 34113

Download

2.6.29 - 951066 (April 11, 2024)

Playbooks

Cloud Response - Generic

Added the source IP address to block for 'Cloud Response - AWS' and 'Cloud Response - Azure' playbooks.

Related pull requests:
- 33781

Download

2.6.28 - 938811 (April 7, 2024)

Playbooks

Extract Indicators From File - Generic v2

Added the ability to extract hyperlinks from Office files (supporting .xlsx,.pptx,.docx).

Related pull requests:
- 33634

Download

2.6.26 - 911958 (March 25, 2024)

Playbooks

Extract Indicators From File - Generic v2

Updated the unescape_url argument of the *ReadPDFFileV2 script to true.

Related pull requests:
- 33258

Download

2.6.25 - 911181 (March 24, 2024)

Playbooks

Cloud Response - Generic

Added an option to select the cloud provider.
Added new Playbook Inputs: GCPprojectID, accountType, sourceIP.

Related pull requests:
- 33122

Download

2.6.24 - 904622 (March 20, 2024)

Playbooks

Block Account - Generic v2

Added new tasks to verify the existence of the user for both the Microsoft Active Directory integration and Microsoft Graph User integration.

Related pull requests:
- 33395

Download

2.6.23 - 897231 (March 18, 2024)

Playbooks

Enrichment for Verdict

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Entity Enrichment - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - External - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - Internal - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

IP Enrichment - Generic v2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Threat Hunting - Generic

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Entity Enrichment - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Block IP - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Block Indicators - Generic v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

2.6.22 - R896436 (March 17, 2024)

Playbooks

Threat Hunting - Generic

Updated the playbook description.

Command-Line Analysis

Updated the playbook description.

File Enrichment - Generic v2

Updated the playbook description.

Account Enrichment - Generic v2.1

Updated the playbook description.

IP Enrichment - Generic v2

Updated the playbook description.

User Investigation - Generic

Updated the playbook description.

Related pull requests:
- 32867

Download

2.6.21 - 883873 (March 11, 2024)

Playbooks

GenericPolling

Added the ExtractMode argument to propagating auto-extract to subsequent executions of the command.

Related pull requests:
- 33146

Download

2.6.20 - 882064 (March 11, 2024)

Playbooks

Email Address Enrichment - Generic v2.1

Added an enrichment task using EWS for retrieving a primary email address.

Related pull requests:
- 33129

Download

2.6.19 - 881200 (March 10, 2024)

Playbooks

Endpoint Investigation Plan

Added a Test playbook.

Entity Enrichment - Generic v3

Added a new playbook input for providing the user's domain name for the account enrichment sub-playbook.

Related pull requests:
- 33291

Download

2.6.17 - 876540 (March 7, 2024)

Playbooks

Extract Indicators From File - Generic v2

Added the ability to extract text from QR code images.

Related pull requests:
- 33235

Download

2.6.16 - 871927 (March 6, 2024)

Playbooks

Block Email - Generic v2

Removed the command netcraft-report-attack. This command has been deprecated and has reached its end-of-life (EOL) date.
The playbook will use the command netcraft-attack-report instead.

Block URL - Generic v2

Related pull requests:
- 33126

Download

2.6.15 - 854016 (February 26, 2024)

Playbooks

Extract Indicators From File - Generic v2

Added a new filter for json file.

Related pull requests:
- 33100

Download

2.6.14 - 851225 (February 25, 2024)

Playbooks

Convert file hash to corresponding hashes

Added local search for hashes in Cortex XSOAR before the enrichment.

Related pull requests:
- 33001

Download

2.6.13 - 828628 (February 14, 2024)

Playbooks

Unisolate Endpoint - Generic

Added IP input to support unisolation by the host's IP address.

Related pull requests:
- 32873

Download

2.6.12 - 821588 (February 12, 2024)

Playbooks

Detonate URL - Generic v1.5

Fixed an issue where Detonate URL - ThreatGrid v2 sub playbook should be skipped when unavailable and the default values of Interval and Timeout inputs was raised.

Command-Line Analysis

Removed non-required Append transformer in the extractIndicators task.
Added a "RemoveEmpty" transformer in the "Set original commandline" task.

Related pull requests:
- 32828

Download

2.6.10 - 819156 (February 11, 2024)

Playbooks

Endpoint Investigation Plan

Updated the playbook to perform investigation only on the alerts associated with the incident.
Removed the unnecessary input 'timeRange'.

Related pull requests:
- 32007

Download

2.6.9 - 811489 (February 7, 2024)

Playbooks

Entity Enrichment - Generic v3

Added the 'UseReputationCommand' which is being used in the sub-playbooks as an input.

Related pull requests:
- 32703

Download

2.6.8 - 807749 (February 5, 2024)

Playbooks

Command-Line Analysis

Added a transformer for remove empty values in the extractIndicators task.

Related pull requests:
- 32706

Download

2.6.7 - 801044 (February 2, 2024)

Playbooks

File Reputation

Added a flow to get the file reputation from WildFire

Enrichment for Verdict

Removed the WildFire reputation flow and moved it to the File Reputation playbook

Related pull requests:
- 32513

Download

2.6.6 - 781077 (January 23, 2024)

Playbooks

Block Indicators - Generic v3

Fixed the "Set indicators to block" task bug that causing errors.

Detonate URL - Generic v1.5

Removed the duplicated playbook of the 'Detonate Url - WildFire'.
Added detonation with JoeSecurity vendor.
Removed the unnecessary section header of the "Detonate URL - VirusTotal (API v3)".
Removed the unnecessary condition of Check URL.

Related pull requests:
- 32333

Download

2.6.4 - 778227 (January 22, 2024)

Common Playbooks

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

2.6.3 - 775948 (January 21, 2024)

Playbooks

Block Indicators - Generic v3

Updated the tasks 'Set indicators to block - Auto' and 'Set indicators to block - Manual' to remove empty values from the key IndicatorsToBlock.

Containment Plan - Block Indicators

Added a conditional task to check if there are any indicators that are blocked before setting those indicators in the incident context.

Related pull requests:
- 32125

Download

2.6.2 - 774340 (January 21, 2024)

Playbooks

Get File Sample From Path - Generic V3

Added additional sub-playbooks:
- Cortex XDR - Retrieve File v2
- MDE - Retrieve File
- CrowdStrike Falcon - Retrieve File
Added outputs for extracted files and non retrieved files.

Related pull requests:
- 32035

Download

2.6.1 - 769959 (January 18, 2024)

Playbooks

Enrichment for Verdict

Updated the command SearchIncidentsV2 to SearchAlertsV2.

Related pull requests:
- 31904

Download

2.6.0 - 765039 (January 16, 2024)

Playbooks

Calculate Severity By Highest DBotScore

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Calculate Severity - Generic v2

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Calculate Severity - Standard

Changed the inputs of this playbook. If you customized the playbook input to anything other than the DBotScore object, you will need to re-adjust the new inputs. The playbook now accepts a list of unique DBotScore indicators and the maximum score given to an indicator, instead of the full DBotScore object.
Improved the performance of the playbook and reduced the size of the context.

Related pull requests:
- 32144

Download

2.5.9 - 755215 (January 10, 2024)

Playbooks

Enrichment for Verdict

Updated the conditional task 'Is there a file?' to also check the length of the string.

Related pull requests:
- 32057

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	August 17, 2020
Last Release	March 26, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

EWS Extension Online Powershell v2 (Deprecated)

O365 - Security And Compliance - Content Search

O365 - Security And Compliance - Content Search (Deprecated)

O365 - Security And Compliance - Content Search v2

O365 Defender SafeLinks - Single User (Deprecated)

Azure Active Directory Identity And Access

Cisco Secure Malware Analytics (Threat Grid) v2

CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis)

McAfee Threat Intelligence Exchange (Deprecated)

Proofpoint Protection Server (Deprecated)

VMware Carbon Black EDR (Live Response API)

Palo Alto Networks - Strata Cloud Manager

Cisco Secure Cloud Analytics (Stealthwatch Cloud)

Cisco Secure Network Analytics (Stealthwatch)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Common Playbooks

Cloud Credentials Rotation - Generic

Integrations for Each Sub-Playbook

AWS Sub-Playbook:

GCP Sub-Playbook:

Azure Sub-Playbook:

Generic Cloud Enrichment Playbook

Supported Blocks

Containment Plan - Quarantine File

Containment Plan - Clear User Sessions

Containment Plan - Disable Account

Containment Plan - Block Indicators

Indicator Blocking

Cloud Credentials Rotation - Generic

Integrations for Each Sub-Playbook

AWS Sub-Playbook:

GCP Sub-Playbook:

Azure Sub-Playbook:

Containment Plan - Isolate Device

Generic Cloud Enrichment Playbook

Supported Blocks

Playbooks

GenericPolling

Common Playbooks

Playbooks

Extract Indicators From File - Generic v2

Playbooks

Block URL - Generic v2

Playbooks

Detonate File - Generic

Playbooks

Get User Devices - Generic

Search And Block Software - Generic

User Investigation - Generic

Get User Devices by Email Address - Generic

Block Account - Generic v2

Command-Line Analysis

Get Cloud Account Owner - Generic

Account Enrichment - Generic v2.1

Get User Devices by Username - Generic

Playbooks

Command-Line Analysis

Playbooks

Block Indicators - Generic v3

Playbooks

Extract Indicators From File - Generic v2

Playbooks

Extract Indicators From File - Generic v2

Playbooks

SIEM - Search for Failed logins

Playbooks

Account Enrichment - Generic v2.1

Playbooks

Extract Indicators From File - Generic v2

Playbooks

Detonate URL - Generic

Detonate File - Generic

Playbooks

Search For Hash In Sandbox - Generic

Playbooks

Block IP - Generic v3

Block Account - Generic v2

Block URL - Generic v2

Common Playbooks

Playbooks

Search And Delete Emails - Generic v2

Common Playbooks

Playbooks

URL Enrichment - Generic v2

Playbooks

Cloud Response - Generic

Playbooks

Search For Hash In Sandbox - Generic

Extract Indicators From File - Generic v2

Playbooks

Extract Indicators From File - Generic v2

Playbooks

Cloud Response - Generic

Playbooks

Block Account - Generic v2