Filters CVEs by CVSS minimum and intersection with a tech-stack tag list.

Creates one XSOAR incident per item using a name_template and field_map (comma-separated 'field=path' pairs).

Filters items by ID against an XSOAR List (state) and optionally by domain match or allowlist. Updates the List with new IDs. Outputs NewAccounts.

For each NRD, calls DarkmonLevenshtein against the brands list and emits Typosquats with distance <= max_distance.

Computes the minimum Levenshtein edit distance between a domain's root label
and a list of brand names. Used by Darkmon - Brand-Targeted NRD Watch to
flag typosquatting candidates.

For each protected email, calls dmontip-get-boardemails three times (accounts, combo-lists, public-breaches), filters new entries, creates incidents.

Routes raw Darkmon indicator records to the matching indicator type based on the type field returned by the Darkmon API.

Routes raw Darkmon records to the matching Darkmon incident type based on the darkmon_kind field added by fetch_incidents() and by the DarkmonCreateIncidents script.

Maps raw Darkmon record JSON to XSOAR incident fields. Routed per Darkmon incident type by the Darkmon - Classifier.

Maps raw Darkmon indicator JSON to XSOAR indicator fields per indicator type.

The protected brand the domain typosquats.

Severity label (critical, high, medium, low).

First time this credential was observed compromised.

URL where the credential was used.

Stealer family that captured this credential.

Levenshtein distance between the domain and the brand.

The source where the leak was observed.

The board-protected email this leak references.

The Darkmon record ID for the leaked account.

Ransomware group claiming the attack.

Category of leak (account, combo-list, public-breach).

URL of the ransomware listing screenshot.

The Darkmon record ID for the underlying leak.

The newly-registered domain that resembles the brand.

Victim organisation name as reported by the threat actor.

The leaked password, replaced by '***' when redact_secrets is enabled.

Action that was performed (disabled, reset, revoked, none).

When the domain was first registered (per Darkmon NRD feed).

Most recent observation of this credential being compromised.

When the ransomware mention was first observed.

The corporate email of the compromised employee.

Resolved directory username (sAMAccountName / UPN / login).

Customer tech-stack tags that intersect this CVE.

The leaked username.

Darkmon's classification of the indicator (e.g. malicious, phishing, suspicious, clean).

Sources where this indicator appeared in compromise data (stealer logs, breaches, dark forums).

Most recent date Darkmon observed this indicator in compromise data.

Stealer family names linked to this indicator (e.g. RedLine, Vidar, Raccoon).

Earliest date Darkmon observed this indicator in compromise data.

Darkmon TIP indicator feed for Cortex XSOAR. Pulls IPs, URLs, domains, file hashes,
emails, and accounts from the Darkmon Threat Intel firehose into the XSOAR TIM
module. Pair with the Darkmon integration for incident fetching and automation
commands.

Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence from the Clear, Deep, and Dark Web tailored to your assets.
Pack also helps with integration with Cortex XSOAR and provides pre-made playbooks/templates to ease integration use.

Layout for Darkmon Compromised Credential incidents.

Layout for Darkmon Ransomware Mention incidents.

Layout for Darkmon VIP Email Leak incidents.

Layout for Darkmon Critical CVE incidents.

Layout for Darkmon Typosquatting Threat incidents.

Layout for Darkmon-enriched Domain indicators. Adds a Darkmon tab with classification and compromise context.

Layout for Darkmon-enriched Email indicators. Adds a Darkmon tab with classification and compromise context.

Layout for Darkmon-enriched URL indicators. Adds a Darkmon tab with classification and compromise context.

Layout for Darkmon-enriched Account indicators. Adds a Darkmon tab with compromise sources, first/last compromise, and stealer families.

Layout for Darkmon-enriched File indicators. Adds a Darkmon tab with classification and compromise context.

Layout for Darkmon Compromised Employee incidents.

Layout for Darkmon-enriched IP indicators. Adds a Darkmon tab with classification and compromise context.

One brand per line (e.g. acme, acmeproducts). The NRD Brand Watch flags any newly-registered domain whose Levenshtein distance to a brand is at most the configured threshold (default 2).

State store: CVE IDs already actioned.

Customer technology tags, one per line (e.g. nginx, openssl, apache). The Critical CVE Pipeline filters CVEs to those whose tags intersect this list.

State store: employee account IDs already actioned.

State store: ransomware mention IDs already actioned.

Single-value list with the configured notification target. One of: slack, teams, email, servicenow, jira. Read by the Generic Notify sub-playbook.

Single-value list - the Cisco Umbrella destination-list ID to append to. Required only when 'Darkmon - Block Provider' is set to 'umbrella'.

State store: account IDs already opened as incidents. The Compromised Credentials Sweep appends to this list and uses it to suppress duplicates.

State store: composite '<email>::<leak_type>::<leak_id>' entries already actioned.

Single-value list with the configured directory provider. One of: ad, okta, azuread. Read by the Generic User Action sub-playbook.

Comma-separated usernames or DNs that must NEVER be auto-disabled (e.g. ceo@acme.com, svc-monitor). Override for the Compromised Employee Auto-Disable playbook.

Comma-separated customer email/web domains (e.g. acme.com,acme.co.uk). The Compromised Credentials Sweep filters Darkmon results to usernames matching any of these domains.

Single-value list with the configured block target. One of: panos, fortinet, umbrella, cloudflare. Read by Darkmon - Generic Block Indicator.

State store: NRD IDs already evaluated.

Analyst-driven full Darkmon profile for a single email address. Runs board-protection check, all three boardemails categories, and global search. Outputs a unified summary into the incident War Room.

Polls Darkmon for compromised credentials, filters to the customer's email/web domains, dedupes via state list, and creates a 'Darkmon Compromised Credential' incident per new account. Triggered on a 4-hour Job.

Sub-playbook that calls the Darkmon !ip command and returns DBotScore + Common.IP for the input IP indicator. Designed to be invoked from a parent playbook; does not auto-run on indicator creation.

Provider-agnostic user-action dispatcher (disable, reset password, revoke sessions). Reads "Darkmon - Identity Provider" List for the configured directory (ad | okta | azuread) and routes to the matching command.

Sub-playbook that calls the Darkmon !url command and returns DBotScore + Common.URL for the input URL indicator. Designed to be invoked from a parent playbook; does not auto-run on indicator creation.

Sub-playbook that calls the Darkmon !domain command and returns DBotScore + Common.Domain for the input Domain indicator. Designed to be invoked from a parent playbook; does not auto-run on indicator creation.

Every 6 hours, polls ransomware mentions for the customer organisation. New entries open a critical 'Darkmon Ransomware Mention' incident and notify the CISO via Generic Notify.

Analyst-facing wrapper around Darkmon - Generic Block Indicator. Lets analysts paste an IOC into a War Room form and trigger a provider-routed block action.

Daily sweep of newly-registered domains. Each candidate's root label is compared against the brand list via DarkmonLevenshtein; matches with distance <= 2 (configurable) open a 'Darkmon Typosquatting Threat' incident.

Extracts URLs/IPs/file-hashes from a reported phishing email, enriches each via the Darkmon - Enrich * sub-playbooks, and if any indicator is scored Bad (DBotScore=3) calls Generic Block Indicator on it. Notifies the reporter and the SOC at the end.

Hourly poll of compromised employees. For each new entry, looks up the user
in the configured directory and acts per the DisableMode playbook input:

• notify-only : creates incident and notifies; no AD action. [DEFAULT]
• approval-required : creates incident, blocks on a manual approval task,
  then disables on approve.
• auto-disable : disables the account immediately, then notifies.
  Accounts in the 'Darkmon - Auto-Disable Allowlist' list are NEVER auto-disabled.

Sub-playbook that calls the Darkmon !file command and returns DBotScore + Common.File for the input File indicator. Designed to be invoked from a parent playbook; does not auto-run on indicator creation.

Hourly poll of board-protected emails. For each protected email, checks accounts/combo-lists/public-breaches and opens a 'Darkmon VIP Email Leak' incident per new entry.

Provider-agnostic indicator-block dispatcher. Reads the 'Darkmon - Block Provider' List for the configured block target (panos | fortinet | umbrella | cloudflare) and routes to the matching command. Falls back to logging the block intent in the War Room when no provider is configured.

Triggered when our company surfaces in a Darkmon ransomware mention. Verifies the match, opens a war-room channel via Generic Notify, pages the CISO, and prints next-step guidance for the customer's IR runbook.

Incident-type playbook for 'Darkmon Compromised Credential' (and similar). Identifies the user via the configured directory, suspends, forces a password reset, revokes active sessions, and notifies SOC + the user.

Designed to be invoked from CrowdStrike / SentinelOne / Defender alert playbooks. Takes the alert's IOCs, enriches each via Darkmon, and if any are scored Bad, escalates incident severity and notifies the SOC. Endpoint containment is left to the EDR-specific playbook.

Daily filter of new CVEs (CVSS >= 9) against the customer's tech-stack tags. Matches open a 'Darkmon Critical CVE' incident per match and ticket via Generic Notify.

Provider-agnostic notification dispatcher. Reads "Darkmon - Notification Provider" List for the configured target (slack | teams | email | servicenow | jira) and routes to the matching command.

Sub-playbook that calls the Darkmon !email command and returns DBotScore + Common.Account.Email for the input Email indicator. Designed to be invoked from a parent playbook; does not auto-run on indicator creation.

Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence from the Clear, Deep, and Dark Web tailored to your assets.
Pack also helps with integration with Cortex and provides pre-made playbooks/templates to ease integration use.

Darkmon TIP indicator feed for Cortex. Pulls IPs, URLs, domains, file hashes,
emails, and accounts from the Darkmon Threat Intel firehose into the XSOAR TIM
module. Pair with the Darkmon integration for incident fetching and automation
commands.

Single-value list - the Cisco Umbrella destination-list ID to append to. Required only when 'Darkmon - Block Provider' is set to 'umbrella'.

State store: ransomware mention IDs already actioned.

Single-value list with the configured block target. One of: panos, fortinet, umbrella, cloudflare. Read by Darkmon - Generic Block Indicator.

State store: account IDs already opened as incidents. The Compromised Credentials Sweep appends to this list and uses it to suppress duplicates.

State store: NRD IDs already evaluated.

State store: employee account IDs already actioned.

Customer technology tags, one per line (e.g. nginx, openssl, apache). The Critical CVE Pipeline filters CVEs to those whose tags intersect this list.

Comma-separated customer email/web domains (e.g. acme.com,acme.co.uk). The Compromised Credentials Sweep filters Darkmon results to usernames matching any of these domains.

Single-value list with the configured directory provider. One of: ad, okta, azuread. Read by the Generic User Action sub-playbook.

One brand per line (e.g. acme, acmeproducts). The NRD Brand Watch flags any newly-registered domain whose Levenshtein distance to a brand is at most the configured threshold (default 2).

State store: composite '<email>::<leak_type>::<leak_id>' entries already actioned.

State store: CVE IDs already actioned.

Single-value list with the configured notification target. One of: slack, teams, email, servicenow, jira. Read by the Generic Notify sub-playbook.

Comma-separated usernames or DNs that must NEVER be auto-disabled (e.g. ceo@acme.com, svc-monitor). Override for the Compromised Employee Auto-Disable playbook.