Infoblox Threat Defense with DDI

Details
Content
Dependencies
Version History

Utilize the Infoblox Threat Defense with DDI integration to manage SOC Insight incident response, indicator enrichment, and block cyber threats.

Note: Support for this Pack was moved to Partner starting August 25, 2025. In case of any issues arise, please contact the Partner directly at support@infoblox.com or https://support.infoblox.com/.

The Infoblox Threat Defense with DDI integration leverages DNS as a security control point to detect and block cyber threats. This integration enables threat intelligence sharing, automated SOC Insight incident response, automated indicator enrichment, and DNS-based security controls within your Cortex XSOAR environment.

DNS Security

Protects the network at the DNS level, which is often the very first point of contact for cyberattacks, ensuring that threats are intercepted and mitigated before they can progress deeper into the infrastructure.
Blocks and unblocks malicious domains and IP addresses by preventing access to harmful destinations while allowing administrators to manage and maintain control over legitimate network usage.

Threat Intelligence

Provides SOC teams with actionable SOC Insights with detailed information about indicators, events, assets, and analyst comments, to detect, investigate, and respond to threats more effectively.
Provides visibility into indicators of compromise (IoCs) and enriches them with context for faster investigation.

DDI

Tightly integrates security with DNS, DHCP, and IPAM, turning these core network services into enforcement points where malicious activity can be detected and blocked in real time.

Pack Use-cases

Retrieve comprehensive threat intelligence about domains, hosts, and IP addresses.
Detect and block malicious domains and IP addresses using the Threat Defense platform.
Identify lookalike domains that may indicate potential phishing attempts.
Manage custom security lists for blocking or allowing specific domains and IP addresses.
Automate threat response by integrating with existing security workflows.
Enrich indicators with DNS-based threat intelligence data for better security decisions.
Unblock previously blocked indicators when they are no longer considered malicious.

Support

For technical support or troubleshooting, please contact Infoblox Support at https://www.infoblox.com/support/
For documentation and resources, visit https://docs.infoblox.com/

Contact

For more information about Infoblox Threat Defense with DDI, visit https://info.infoblox.com/contact-form/

Note: Support for this Pack was moved to Partner starting August 25, 2025. In case of any issues arise, please contact the Partner directly at support@infoblox.com or https://support.infoblox.com/.

DNS Security

Protects the network at the DNS level, which is often the very first point of contact for cyberattacks, ensuring that threats are intercepted and mitigated before they can progress deeper into the infrastructure.
Blocks and unblocks malicious domains and IP addresses by preventing access to harmful destinations while allowing administrators to manage and maintain control over legitimate network usage.

Threat Intelligence

Provides SOC teams with actionable SOC Insights with detailed information about indicators, events, assets, and analyst comments, to detect, investigate, and respond to threats more effectively.
Provides visibility into indicators of compromise (IoCs) and enriches them with context for faster investigation.

DDI

Tightly integrates security with DNS, DHCP, and IPAM, turning these core network services into enforcement points where malicious activity can be detected and blocked in real time.

Pack Use-cases

Retrieve comprehensive threat intelligence about domains, hosts, and IP addresses.
Detect and block malicious domains and IP addresses using the Threat Defense platform.
Identify lookalike domains that may indicate potential phishing attempts.
Manage custom security lists for blocking or allowing specific domains and IP addresses.
Automate threat response by integrating with existing security workflows.
Enrich indicators with DNS-based threat intelligence data for better security decisions.
Unblock previously blocked indicators when they are no longer considered malicious.

Support

For technical support or troubleshooting, please contact Infoblox Support at https://www.infoblox.com/support/
For documentation and resources, visit https://docs.infoblox.com/

Contact

For more information about Infoblox Threat Defense with DDI, visit https://info.infoblox.com/contact-form/

Classifiers

Name	Description
Infoblox Cloud - Classifier	The Classifier for the Infoblox Threat Defense with DDI integration.
Infoblox Cloud - Incoming Mapper	Maps incoming Infoblox Cloud incident fields.

Incident Fields

Name	Description
Infoblox Cloud Threat Property	The Threat Property of the Infoblox DNS Security Event.
Infoblox Cloud RCODE	The RCode of the Infoblox DNS Security Event.
Infoblox Cloud Insight Changed Time	The changed time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Application Category	The Application category of the Infoblox DNS Security Event.
Infoblox Cloud Feed Source	The feed source of the Infoblox Cloud SOC Insight.
Infoblox Cloud Event Not Blocked Count	The not blocked event count of the Infoblox Cloud SOC Insight.
Infoblox Cloud RDATA	The RData of the Infoblox DNS Security Event.
Infoblox Cloud Category	The category of the Infoblox DNS Security Event.
Infoblox Cloud Feed Type	The feed type of the Infoblox DNS Security Event.
Infoblox Cloud Endpoint Groups	The endpoint groups of the Infoblox DNS Security Event.
Infoblox Cloud Insight Spreading Time	The spreading time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Insight ID	The SOC Insight ID of the Infoblox Cloud SOC Insights.
Infoblox Cloud Severity	The severity of the Infoblox DNS Security Event.
Infoblox Cloud DHCP Fingerprint	The DHCP Fingerprint of the Infoblox DNS Security Event.
Infoblox Cloud Insight Persistent Time	The persistent time of the Infoblox Cloud SOC Insight.
Infoblox Cloud User	The username of the Infoblox DNS Security Event.
Infoblox Cloud Network	The network of the Infoblox DNS Security Event.
Infoblox Cloud Feed Name	The feed name of the Infoblox DNS Security Event.
Infoblox Cloud DNS View	The DNS View of the Infoblox DNS Security Event.
Infoblox Cloud Threat Family	The threat family of the Infoblox Cloud SOC Insight and DNS Security Event.
Infoblox Cloud Threat Class	The threat class of the Infoblox Cloud SOC Insight and DNS Security Event.
Infoblox Cloud QIP	The QIP of the Infoblox DNS Security Event.
Infoblox Cloud Insight Priority	The priority of the Infoblox Cloud SOC Insight.
Infoblox Cloud QTYPE	The QType of the Infoblox DNS Security Event.
Infoblox Cloud Event Time	The Event Time of the Infoblox DNS Security Event.
Infoblox Cloud Threat Indicator	The Threat Indicator of the Infoblox DNS Security Event.
Infoblox Cloud User Groups	The user groups of the Infoblox DNS Security Event.
Infoblox Cloud Confidence	The confidence of the Infoblox DNS Security Event.
Infoblox Cloud Event Count	The event count of the Infoblox Cloud SOC Insight.
Infoblox Cloud QNAME	The QName of the Infoblox DNS Security Event.
Infoblox Cloud Insight Most Recent Time	The most recent time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Insight Start Time	The start time of the Infoblox Cloud SOC Insight.
Infoblox Cloud RIP	The RIP of the Infoblox DNS Security Event.
Infoblox Cloud Threat Type	The threat type of the Infoblox Cloud SOC Insight.
Infoblox Cloud Insight Status	The status of the Infoblox Cloud SOC Insight.
Infoblox Cloud Application Name	The application name of the Infoblox DNS Security Event.
Infoblox Cloud Private IP	The private IP of the Infoblox DNS Security Event.

Incident Types

Name	Description
Infoblox Cloud SOC Insight
Infoblox Cloud DNS Security Event

Integrations

Name	Description
Infoblox Threat Defense with DDI (Partner Contribution)	Infoblox Threat Defense with DDI integration leverages DNS as the first line of defense to detect and block cyber threats, while also using threat intelligence to manage SOC Insight incident response and enrich indicators.

Layouts

Name	Description
Infoblox Cloud DNS Security Event	Layout for Infoblox Cloud DNS Security Event
Infoblox Cloud SOC Insight	Layout for Infoblox Cloud SOC Insight

Playbooks

Name	Description
Domain Enrichment - Infoblox Cloud	This playbook enriches domains or hosts with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.
MAC Enrichment - Infoblox Cloud	This playbook enriches MAC addresses with DHCP lease information using Infoblox Threat Defense with DDI integration.
Block Indicator - Infoblox Cloud	This playbook blocks the given IP or domain by adding it to the given block type custom list of the Infoblox Cloud platform. If prompted it also removes the provided indicators from given allow list.
Incident Response - Infoblox Cloud	This playbook is used to initiate the incident response. This playbook runs when an incident is selected for investigation. It will change the state from pending to active and it will list the available indicators, events, assets, and comments from Infoblox corresponding to the incident. If incident severity is found to be higher than or equivalent to medium, it will create a ServiceNow incident otherwise the given incident will be assigned to an analyst.
Indicator Enrichment - Infoblox Cloud	This playbook enriches IP addresses, MAC addresses, domains and URLs with the dossier, DHCP lease, TIDE and asset data using Infoblox Threat Defense with DDI integration.
Unblock Indicator - Infoblox Cloud	This playbook unblocks the given IP or domain by adding it to the given allow type custom list of the Infoblox Cloud platform.
IP Enrichment - Infoblox Cloud	This playbook enriches IP addresses with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.
URL Enrichment - Infoblox Cloud	This playbook enriches URL with the dossier and TIDE data using Infoblox Threat Defense with DDI integration.

Classifiers

Name	Description
Infoblox Cloud - Classifier	The Classifier for the Infoblox Threat Defense with DDI integration.
Infoblox Cloud - Incoming Mapper	Maps incoming Infoblox Cloud incident fields.

Incident Fields

Name	Description
Infoblox Cloud Threat Family	The threat family of the Infoblox Cloud SOC Insight and DNS Security Event.
Infoblox Cloud RIP	The RIP of the Infoblox DNS Security Event.
Infoblox Cloud Insight Status	The status of the Infoblox Cloud SOC Insight.
Infoblox Cloud Event Time	The Event Time of the Infoblox DNS Security Event.
Infoblox Cloud Insight Most Recent Time	The most recent time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Event Count	The event count of the Infoblox Cloud SOC Insight.
Infoblox Cloud Insight ID	The SOC Insight ID of the Infoblox Cloud SOC Insights.
Infoblox Cloud Threat Indicator	The Threat Indicator of the Infoblox DNS Security Event.
Infoblox Cloud Feed Type	The feed type of the Infoblox DNS Security Event.
Infoblox Cloud Network	The network of the Infoblox DNS Security Event.
Infoblox Cloud DHCP Fingerprint	The DHCP Fingerprint of the Infoblox DNS Security Event.
Infoblox Cloud Feed Name	The feed name of the Infoblox DNS Security Event.
Infoblox Cloud Insight Changed Time	The changed time of the Infoblox Cloud SOC Insight.
Infoblox Cloud QTYPE	The QType of the Infoblox DNS Security Event.
Infoblox Cloud Insight Priority	The priority of the Infoblox Cloud SOC Insight.
Infoblox Cloud DNS View	The DNS View of the Infoblox DNS Security Event.
Infoblox Cloud Feed Source	The feed source of the Infoblox Cloud SOC Insight.
Infoblox Cloud Severity	The severity of the Infoblox DNS Security Event.
Infoblox Cloud QNAME	The QName of the Infoblox DNS Security Event.
Infoblox Cloud Insight Persistent Time	The persistent time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Confidence	The confidence of the Infoblox DNS Security Event.
Infoblox Cloud Event Not Blocked Count	The not blocked event count of the Infoblox Cloud SOC Insight.
Infoblox Cloud RCODE	The RCode of the Infoblox DNS Security Event.
Infoblox Cloud Endpoint Groups	The endpoint groups of the Infoblox DNS Security Event.
Infoblox Cloud RDATA	The RData of the Infoblox DNS Security Event.
Infoblox Cloud QIP	The QIP of the Infoblox DNS Security Event.
Infoblox Cloud Private IP	The private IP of the Infoblox DNS Security Event.
Infoblox Cloud User Groups	The user groups of the Infoblox DNS Security Event.
Infoblox Cloud Application Name	The application name of the Infoblox DNS Security Event.
Infoblox Cloud Insight Spreading Time	The spreading time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Category	The category of the Infoblox DNS Security Event.
Infoblox Cloud Threat Property	The Threat Property of the Infoblox DNS Security Event.
Infoblox Cloud Threat Class	The threat class of the Infoblox Cloud SOC Insight and DNS Security Event.
Infoblox Cloud User	The username of the Infoblox DNS Security Event.
Infoblox Cloud Insight Start Time	The start time of the Infoblox Cloud SOC Insight.
Infoblox Cloud Application Category	The Application category of the Infoblox DNS Security Event.
Infoblox Cloud Threat Type	The threat type of the Infoblox Cloud SOC Insight.

Incident Types

Name	Description
Infoblox Cloud DNS Security Event
Infoblox Cloud SOC Insight

Integrations

Name	Description
Infoblox Threat Defense with DDI (Partner Contribution)	Infoblox Threat Defense with DDI integration leverages DNS as the first line of defense to detect and block cyber threats, while also using threat intelligence to manage SOC Insight incident response and enrich indicators.
Infoblox BloxOne Threat Defense Event Collector	BloxOne Threat Defense is a hybrid cybersecurity solution that leverages DNS as the first line of defense to detect and block cyber threats.

Modeling Rules

Name	Description
Infoblox Blox One Threat Defense Modeling Rule

Playbooks

Name	Description
URL Enrichment - Infoblox Cloud	This playbook enriches URL with the dossier and TIDE data using Infoblox Threat Defense with DDI integration.
Indicator Enrichment - Infoblox Cloud	This playbook enriches IP addresses, MAC addresses, domains and URLs with the dossier, DHCP lease, TIDE and asset data using Infoblox Threat Defense with DDI integration.
Alert Response - Infoblox Cloud	This playbook is used to initiate the alert response. This playbook runs when an alert is selected for investigation. It will change the state from pending to active and it will list the available indicators, events, assets, and comments from Infoblox corresponding to the alert. If alert severity is found to be higher than or equivalent to medium, it will create a ServiceNow alert otherwise the given alert will be assigned to an analyst.
IP Enrichment - Infoblox Cloud	This playbook enriches IP addresses with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.
MAC Enrichment - Infoblox Cloud	This playbook enriches MAC addresses with DHCP lease information using Infoblox Threat Defense with DDI integration.
Domain Enrichment - Infoblox Cloud	This playbook enriches domains or hosts with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.
Unblock Indicator - Infoblox Cloud	This playbook unblocks the given IP or domain by adding it to the given allow type custom list of the Infoblox Cloud platform.
Block Indicator - Infoblox Cloud	This playbook blocks the given IP or domain by adding it to the given block type custom list of the Infoblox Cloud platform. If prompted it also removes the provided indicators from given allow list.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
ServiceNow	By: Cortex XSOAR

All level dependencies (5)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

2.0.0 - 5733038 (November 4, 2025)

Integrations

Infoblox Threat Defense with DDI

Added support for Fetch incidents to fetch the Security Insights or DNS Security Events as XSOAR incidents.
Added support for infobloxcloud-soc-insight-list command that list SOC insights from Infoblox Cloud.
Added support for infobloxcloud-soc-insight-event-list command that list events for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-indicator-list command that list indicators for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-comment-list command that list comments for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-asset-list command that list assets for a specific SOC Insight.
Added support for infobloxcloud-block-ip command to add specified IP addresses for the provided block list.
Added support for infobloxcloud-unblock-ip command to add specified IP addresses for the provided allow list.
Added support for infobloxcloud-block-domain command to add specified domains for the provided block list.
Added support for infobloxcloud-unblock-domain command to add specified domains for the provided allow list.
Added support for infobloxcloud-customlist-indicator-remove command to remove specified indicators from the provided custom list.
Added support for ip command that gets the comprehensive IP reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, IPAM address information, and standard IP reputation data.
Added support for domain command that gets the comprehensive domain/host reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, IPAM address information and standard domain reputation data.
Added support for url command that gets the comprehensive URL reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, and standard URL reputation data.
Added support for infobloxcloud-mac-enrich command that enriches a MAC address with DHCP lease information.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Playbooks

New: Domain Enrichment - Infoblox Cloud

This playbook enriches domains or hosts with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.

New: Block Indicator - Infoblox Cloud

This playbook blocks the given IP or domain by adding it to the given block type custom list of the Infoblox Cloud platform. If prompted it also removes the provided indicators from given allow list.

New: Unblock Indicator - Infoblox Cloud

This playbook unblocks the given IP or domain by adding it to the given allow type custom list of the Infoblox Cloud platform.

New: Indicator Enrichment - Infoblox Cloud

This playbook enriches IP addresses, MAC addresses, domains and URLs with the dossier, DHCP lease, TIDE and asset data using Infoblox Threat Defense with DDI integration.

New: Incident Response - Infoblox Cloud

This playbook is used to initiate the incident response. This playbook runs when an incident is selected for investigation. It will change the state from pending to active and it will list the available indicators, events, assets, and comments from Infoblox corresponding to the incident. If incident severity is found to be higher than or equivalent to medium, it will create a ServiceNow incident otherwise the given incident will be assigned to an analyst.

New: MAC Enrichment - Infoblox Cloud

This playbook enriches MAC addresses with DHCP lease information using Infoblox Threat Defense with DDI integration.

New: URL Enrichment - Infoblox Cloud

This playbook enriches URL with the dossier and TIDE data using Infoblox Threat Defense with DDI integration.

New: IP Enrichment - Infoblox Cloud

This playbook enriches IP addresses with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.

Related pull requests:
- 41177
- 41773

Download

1.1.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.1.16 - R5469292 (October 20, 2025)

Infoblox BloxOne

Completed adoption process.

Integrations

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41046
- 41053

Download

1.1.15 - 4365478 (July 30, 2025)

Infoblox BloxOne

Started adoption process.

Related pull requests:
- 40744
- 40699

Download

1.1.14 - 4096037 (July 8, 2025)

Integrations

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

1.1.13 - R3474673 (May 20, 2025)

Integrations

Infoblox BloxOne Threat Defense

Metadata and documentation improvements.

Related pull requests:
- 39143

Download

1.1.12 - R2988527 (March 26, 2025)

Integrations

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.0.0 - 5733038 (November 4, 2025)

Integrations

Infoblox Threat Defense with DDI

Added support for Fetch incidents to fetch the Security Insights or DNS Security Events as XSOAR incidents.
Added support for infobloxcloud-soc-insight-list command that list SOC insights from Infoblox Cloud.
Added support for infobloxcloud-soc-insight-event-list command that list events for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-indicator-list command that list indicators for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-comment-list command that list comments for a specific SOC Insight.
Added support for infobloxcloud-soc-insight-asset-list command that list assets for a specific SOC Insight.
Added support for infobloxcloud-block-ip command to add specified IP addresses for the provided block list.
Added support for infobloxcloud-unblock-ip command to add specified IP addresses for the provided allow list.
Added support for infobloxcloud-block-domain command to add specified domains for the provided block list.
Added support for infobloxcloud-unblock-domain command to add specified domains for the provided allow list.
Added support for infobloxcloud-customlist-indicator-remove command to remove specified indicators from the provided custom list.
Added support for ip command that gets the comprehensive IP reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, IPAM address information, and standard IP reputation data.
Added support for domain command that gets the comprehensive domain/host reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, IPAM address information and standard domain reputation data.
Added support for url command that gets the comprehensive URL reputation and threat intelligence from Infoblox Threat Defense, including threat indicators, and standard URL reputation data.
Added support for infobloxcloud-mac-enrich command that enriches a MAC address with DHCP lease information.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Playbooks

New: Domain Enrichment - Infoblox Cloud

This playbook enriches domains or hosts with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.

New: Block Indicator - Infoblox Cloud

This playbook blocks the given IP or domain by adding it to the given block type custom list of the Infoblox Cloud platform. If prompted it also removes the provided indicators from given allow list.

New: Unblock Indicator - Infoblox Cloud

This playbook unblocks the given IP or domain by adding it to the given allow type custom list of the Infoblox Cloud platform.

New: Indicator Enrichment - Infoblox Cloud

This playbook enriches IP addresses, MAC addresses, domains and URLs with the dossier, DHCP lease, TIDE and asset data using Infoblox Threat Defense with DDI integration.

New: Incident Response - Infoblox Cloud

New: MAC Enrichment - Infoblox Cloud

This playbook enriches MAC addresses with DHCP lease information using Infoblox Threat Defense with DDI integration.

New: URL Enrichment - Infoblox Cloud

This playbook enriches URL with the dossier and TIDE data using Infoblox Threat Defense with DDI integration.

New: IP Enrichment - Infoblox Cloud

This playbook enriches IP addresses with the dossier, TIDE and asset data using Infoblox Threat Defense with DDI integration.

Related pull requests:
- 41177
- 41773

Download

1.1.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.1.16 - R5469292 (October 20, 2025)

Infoblox BloxOne

Completed adoption process.

Integrations

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.12.11.4508456.

Related pull requests:
- 41046
- 41053

Download

1.1.15 - 4365478 (July 30, 2025)

Infoblox BloxOne

Started adoption process.

Related pull requests:
- 40744
- 40699

Download

1.1.14 - 4096037 (July 8, 2025)

Integrations

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Infoblox BloxOne Threat Defense Event Collector

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

1.1.13 - R3474673 (May 20, 2025)

Integrations

Infoblox BloxOne Threat Defense Event Collector

Metadata and documentation improvements.

Infoblox BloxOne Threat Defense

Metadata and documentation improvements.

Related pull requests:
- 39143

Download

1.1.12 - R2988527 (March 26, 2025)

Integrations

Infoblox BloxOne Threat Defense Event Collector

Updated the Docker image to: demisto/python3:3.11.10.115186.

Infoblox BloxOne Threat Defense

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	March 1, 2023
Last Release	November 4, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.