Find reference documentation for Integrations, Automations, Playbooks and more.
Integrations#
| 1Touch.io's Inventa Connector | Use the Inventa integration to generate DSAR reports within Inventa instance and retrieve DSAR data for the XSOAR |
| Abnormal Security | Abnormal Security detects the whole spectrum of email attacks, from vendor email compromise and spear-phishing to unwanted email spam and graymail. To stop these advanced attacks, Abnormal leverages the industry’s most advanced behavioral data science to baseline known good behavior and detects anomalies. |
| Absolute | Absolute is an adaptive endpoint security solution that delivers device security, data security, and asset management of endpoints. |
| abuse.ch SSL Blacklist Feed | The SSL IP Blacklist contains all hosts [IP addresses] that SSLBL has seen in the past 30 days and identified as being associated with a malicious SSL certificate. |
| AbuseIPDB | Central repository to report and identify IP addresses that have been associated with malicious activity online. Check the Detailed Information section for more information on how to configure the integration. |
| Acalvio ShadowPlex | Acalvio ShadowPlex is a comprehensive Autonomous Deception Platform that offers Advanced Threat Detection, Investigation and Response capabilities. |
| Accenture CTI [Deprecated] | Deprecated. Use Accenture CTI v2 instead. |
| Accessdata | Use the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks. |
| ACTI Feed [Deprecated] | Deprecated. Use Accenture CTI Feed instead. |
| ACTI Indicator Feed | Fetches indicators from a ACTI feed. You can filter returned indicators by indicator type, indicator severity, threat type, confidence, and malware family [each of these are an integration parameter]. |
| ACTI Indicator Query | ACTI provides intelligence regarding security threats and vulnerabilities. |
| ACTI Vulnerability Query | ACTI provides intelligence regarding security threats and vulnerabilities. |
| Active Directory Authentication | Authenticate using Active Directory. |
| Active Directory Hygiene | This Integration runs commands on an Active Directory server |
| Active Directory Query v2 | The Active Directory Query integration enables you to access and manage Active Directory objects [users, contacts, and computers]. |
| ActiveMQ | Integration with ActiveMQ queue |
| Aella Star Light | Aella Star Light Integration |
| Agari Phishing Defense | Agari Phishing Defense stops phishing, BEC, and other identity deception attacks that trick employees into harming your business. |
| Akamai WAF | Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features. |
| Akamai WAF SIEM | Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall [WAF] service. |
| Alexa Rank Indicator | Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence. |
| Alexa Rank Indicator v2 | Alexa provides website ranking information that can be useful when determining if a domain has a strong web presence. |
| Alibaba Action Trail Event Collector | Alibaba logs event collector integration for XSIAM. |
| AlienVault OTX TAXII Feed | This integration fetches indicators from AlienVault OTX using a TAXII client. |
| AlienVault OTX v2 | Query Indicators of Compromise in AlienVault OTX. |
| AlienVault Reputation Feed | Use the AlienVault Reputation feed integration to fetch indicators from the feed. |
| AlienVault USM Anywhere | Searches for and monitors alarms and events from AlienVault USM Anywhere. |
| AlphaSOC Network Behavior Analytics | Retrieve alerts from the AlphaSOC Analytics Engine |
| AlphaSOC Wisdom | DNS and IP threat intelligence via the AlphaSOC platform |
| AlphaVantage | This is an API to get stock prices etc |
| Amazon DynamoDB | Amazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can create database tables that can store and retrieve any amount of data, and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation, and use the AWS Management Console to monitor resource utilization and performance metrics. DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid state disks [SSDs] and automatically replicated across multiple Availability Zones in an AWS region, providing built-in high availability and data durability. |
| AMP | Uses CISCO AMP Endpoint |
| Analyst1 | This integration utilizes Analyst1's system to enrich Demisto indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more. |
| Anomali Match | Use Anomali Match to search indicators and enrich domains. |
| Anomali ThreatStream [Deprecated] | Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats |
| Anomali ThreatStream v2 | Use Anomali ThreatStream to query and submit threats. |
| Anomali ThreatStream v3 | Use Anomali ThreatStream to query and submit threats. |
| Ansible ACME | Control Automatic Certificate Management Environment on Linux hosts |
| Ansible Alibaba Cloud | Manage Alibaba Cloud Elastic Compute Instances |
| Ansible Azure | Manage Azure resources |
| Ansible Cisco IOS | Cisco IOS Platform management over SSH |
| Ansible Cisco NXOS | Cisco NX-OS Platform management over SSH |
| Ansible DNS | Manage DNS records using NSUpdate |
| Ansible HCloud | Manage your Hetzner Cloud environment |
| Ansible Kubernetes | Manage Kubernetes |
| Ansible Microsoft Windows | Agentless Windows host management over WinRM |
| Ansible OpenSSL | Control OpenSSL on a remote Linux hosts |
| Ansible Tower | Scale IT automation, manage complex deployments, and speed productivity. |
| Ansible VMware | Manage VMware vSphere Server, Guests, and ESXi Hosts |
| ANY.RUN | ANY.RUN is a cloud-based sanbox with interactive access. |
| APIVoid | APIVoid wraps up a number of services such as ipvoid & urlvoid |
| Arcanna.AI | Arcanna integration for using the power of AI in SOC |
| ArcSight ESM v2 | ArcSight ESM SIEM by Micro Focus [Formerly HPE Software]. |
| ArcSight Logger | ArcSight events logger |
| ArcusTeam | The ArcusTeam API allows the user to inspect connected devices' attack surface. By feeding device identifiers and the software it runs: DeviceTotal will return a map of the device’s attack surface. DeviceTotal was built from the ground up in order to provide complete visibility into connected devices and mitigate 3rd party risk. DeviceTotal can continuously identify & predict such that the connected device security posture is being assessed, prioritized and mitigated effectively. |
| Arduino | Connects to and controls an Arduino pin system using the network. |
| ARIA Packet Intelligence | The ARIA Cybesecurity Solutions Software-Defined Security [SDS] platform integrates with Cortex XSOAR to add robustness when responding to incidents. The combination of ARIA hardware, in the form of a Secure Intelligent Adapter [SIA], and software, specifically Packet Intelligence and SDS orchestrator [SDSo], provides the elements required to react instantly when an incident is detected. When integrated with the ARIA solution, you can create playbooks that instruct one or more SIAs to add, modify, or delete rules automatically. These rule changes, which take effect immediately, can block conversations, redirect packets to a recorder or VLAN, or perform a variety of other actions. |
| Arkime | Arkime [formerly Moloch] is a large scale, open source, indexed packet capture and search tool. |
| Armis | Use the Armis integration to search alerts and devices, tag and untag devices, and set alert statuses. |
| Armorblox | Armorblox is an API-based platform that stops targeted email attacks, protects sensitive data, and automates incident response. |
| Atlassian Confluence Cloud | Atlassian Confluence Cloud allows users to interact with confluence entities like content, space, users, and groups. Users can also manage the space permissions. |
| Atlassian Confluence Server | Atlassian Confluence Server API |
| Atlassian IAM | Integrate with Atlassian's services to execute CRUD operations for employee lifecycle processes. |
| Atlassian Jira v2 | Use the Jira integration to manage issues and create Cortex XSOAR incidents from Jira projects. From Cortex XSOAR version 6.0 and above, the integration also mirrors issues to existing issue incidents in Cortex XSOAR. |
| AttackIQ Platform | An attack simulation platform that provides validations for security controls, responses, and remediation exercises. |
| Attivo Botsink | Network-based Threat Deception for Post-Compromise Threat Detection. |
| AutoFocus Daily Feed [Deprecated] | Deprecated. No available replacement. |
| AutoFocus Feed | Use the AutoFocus Feeds integration to fetch indicators from AutoFocus. |
| AutoFocus Tags Feed | Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags. |
| Automox | Administrate your IT organization from XSOAR with comprehensive commands for the Automox platform. |
| Awake Security | Network Traffic Analysis |
| AWS - AccessAnalyzer [beta] | Amazon Web Services IAM Access Analyzer |
| AWS - ACM | Amazon Web Services Certificate Manager Service [ACM] |
| AWS - CloudTrail | Amazon Web Services CloudTrail. |
| AWS - CloudWatchLogs | Amazon Web Services CloudWatch Logs [logs]. |
| AWS - EC2 | Amazon Web Services Elastic Compute Cloud [EC2] |
| AWS - GuardDuty | Amazon Web Services Guard Duty Service [gd] |
| AWS - GuardDuty Event Collector | Amazon Web Services Guard Duty Service [gd] event collector integration for Cortex XSIAM. |
| AWS - IAM [user lifecycle management] | Integrate with AWS's services to execute CRUD and Group operations for employee lifecycle processes. |
| AWS - Identity and Access Management | Amazon Web Services Identity and Access Management [IAM] |
| AWS - Lambda | Amazon Web Services Serverless Compute service [lambda] |
| AWS - Route53 | Amazon Web Services Managed Cloud DNS Service. |
| AWS - S3 | Amazon Web Services Simple Storage Service [S3] |
| AWS - Security Hub | Amazon Web Services Security Hub Service. |
| AWS - SNS | Amazon Web Services Simple Notification Service [SNS] |
| AWS - SQS | Amazon Web Services Simple Queuing Service [SQS] |
| AWS Feed | Use the AWS feed integration to fetch indicators from the feed. |
| AWS Network Firewall | AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud [Amazon VPC]. With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system [IDS] engine. |
| AWS Sagemaker | AWS Sagemaker - Demisto Phishing Email Classifier |
| AWS Simple Notification Service [AWS SNS] | Use AWS SNS to send notifications to XSOAR. |
| Axonius | This integration is for fetching information about assets in Axonius. |
| Azure Active Directory Applications | Use the Azure Active Directory Applications integration to manage authorized applications. |
| Azure Active Directory Groups | Microsoft Graph Groups enables you to create and manage different types of groups and group functionality according to your requirements. |
| Azure Active Directory Identity And Access | Use the Azure Active Directory Identity And Access integration to manage roles and members. |
| Azure Active Directory Identity Protection [Deprecated] | Deprecated. Use Microsoft Graph Identity and Access instead. |
| Azure Active Directory Users | Unified gateway to security insights - all from a unified Microsoft Graph User API. |
| Azure AD Connect Health Feed | Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed. |
| Azure Compute v2 | Create and Manage Azure Virtual Machines |
| Azure Data Explorer | Use the Azure Data Explorer integration to collect and analyze data inside Azure Data Explorer clusters, and to manage search queries. |
| Azure Feed | Azure.CloudIPs Feed Integration. |
| Azure Firewall | Azure Firewall is a cloud-native and intelligent network firewall security service that provides breed threat protection for cloud workloads running in Azure. It's a fully stateful, firewall as a service, with built-in high availability and unrestricted cloud scalability. |
| Azure Key Vault | Use the Azure Key Vault integration to safeguard and manage cryptographic keys and secrets used by cloud applications and services. |
| Azure Kubernetes Services | Deploy and manage containerized applications with a fully managed Kubernetes service. |
| Azure Log Analytics | Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. |
| Azure Network Security Groups | Azure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network. |
| Azure Risky Users | Azure Risky Users provides access to all at-risk users and risk detections in the Azure AD environment. |
| Azure Security Center v2 | Unified security management and advanced threat protection across hybrid cloud workloads. |
| Azure Sentinel | Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. |
| Azure SQL Management [Beta] | Microsoft Azure SQL Management Integration manages the Auditing and Threat Policies for Azure SQL. |
| Azure Storage Container | Create and Manage Azure Storage Container services. |
| Azure Storage FileShare | Create and Manage Azure FileShare Files and Directories. |
| Azure Storage Management | Deploy and manage storage accounts and blob services. |
| Azure Storage Queue | Create and Manage Azure Storage Queues and Messages. |
| Azure Storage Table | Create and Manage Azure Storage Tables and Entities. |
| Azure Web Application Firewall | The Azure WAF [Web Application Firewall] integration provides centralized protection of your web applications from common exploits and vulnerabilities. It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies, and also to get details of a specific policy or a list of policies. |
| AzureDevOps | Manage Git repositories in Azure DevOps Services. Integration capabilities include retrieving, creating, and updating pull requests. Run pipelines and retrieve Git information. |
| Bambenek Consulting Feed | Use the Bambenek Consulting feed integration to fetch indicators from the feed. |
| Barracuda Reputation Block List [BRBL] | This integration enables reputation checks against IPs from Barracuda Reputation Block List [BRBL] |
| Bastille Networks | RF monitoring for wireless intrusion detection and policy enforcement. Visit //www.bastille.net for details. |
| BeyondTrust Password Safe | Unified password and session management for seamless accountability and control over privileged accounts. |
| BigFix | IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. |
| Binalyze AIR | Collect your forensics data under 10 minutes. |
| BitcoinAbuse Feed | BitcoinAbuse.com is a public database of bitcoin addresses used by hackers and criminals. |
| BitDam | BitDam secure email gateway protects from advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source. |
| BitSight for Security Performance Management | Use the "BitSight for Security Performance Management" Integration to get company guid, details, and findings. This integration also allows to fetch the findings by using the fetch incidents capability. |
| Blocklist_de Feed | Use the Blocklist.de feed integration to fetch indicators from the feed. |
| Bluecat Address Manager | Use the BlueCat Address Manager integration to enrich IP addresses and manage response policies. |
| Blueliv ThreatCompass | Blueliv ThreatCompass systematically looks for information about companies,products, people, brands, logos, assets, technology and other information, depending on your needs. Blueliv ThreatCompass allows you to monitor and track all this information to keep your data, your organization and its employees safe |
| Blueliv ThreatContext | The Threat Context module provides SOC, Incident Response, and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures and CVEs. |
| BMC Discovery | BMC Discovery is a SaaS-based, cloud-native discovery and dependency modeling system that provides instant visibility into hardware, software, and service dependencies across multi-cloud, hybrid, and on-premises environments. |
| BMC Helix ITSM | BMC Helix ITSM integration enables customers to manage service request, incident, change request, task, problem investigation and known error tickets. |
| BMC Helix Remedyforce | BMC Helix Remedyforce integration enables customers to create/update service requests and incidents, update statuses, and resolve service requests and incidents with customer notes. This integration exposes standard ticketing capabilities that can be utilized as part of automation & orchestration. |
| BMC Remedy AR | BMC Remedy AR System is a professional development environment that leverages the recommendations of the IT Infrastructure Library [ITIL] and provides a foundation for Business Service Management [BSM] solutions. For incident management [i.e. create, fetch, update], please refer to Remedy On-Demand integration. |
| Bonusly | The Bonusly integration is used to interact with the Bonusly platform through the API. Bonusly is an employee recognition platform which enterprises use to for employee recognition. |
| Box [Deprecated] | Deprecated. Use the Box v2 integration instead. |
| Box Event Collector | Collect events from Box's logs. |
| Box v2 | Manage Box users. |
| BreachRx | Automate your privacy Incident Response workflow through the BreachRx platform. |
| BruteForceBlocker Feed | BruteForceBlocker is a Perl script that works with pf – firewall developed by the OpenBSD team, and is also available on FreeBSD from version 5.2. From BruteForceBlocker version 1.2 it is also possible to report blocked IP addresses to the project site and share your information with other users. |
| C2sec irisk | Understand Your Cyber Exposure as Easy as a Google Search |
| Cado Response | Automate data collection. Process data at cloud speed. Analyze with purpose. |
| Camlytics | You can use this integration to automate different Camlytics surveillance analysis actions. |
| Carbon Black Endpoint Standard v2 | Endpoint Standard is an industry-leading next-generation antivirus [NGAV] and behavioral endpoint detection and response [EDR] solution. Endpoint Standard is delivered through the Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. |
| Carbon Black Live Response Cloud | VMware Carbon Black Endpoint Standard Live Response is a feature that enables security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, and execute and terminate processes. |
| Censys v2 | Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the internet. Driven by internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, and certificates are configured and deployed. |
| Centreon | IT & Network Monitoring |
| Centrify Vault | Leverage the Centrify Vault integration to create and manage Secrets. |
| Check Point Dome9 [CloudGuard] | Dome9 integration allows to easily manage the security and compliance of the public cloud. |
| Check Point Firewall [Deprecated] | Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API |
| Check Point Threat Emulation [SandBlast] | Uploads files using polling. The service supports Microsoft Office files, as well as PDF, SWF, archives, and executables. Active content will be cleaned from any documents that you upload [Microsoft Office and PDF files only]. Queries on existing IOCs, file status, analysis, and reports. Downloads files from the database. Supports both appliance and cloud. Supported Threat Emulation versions are any R80x. |
| CheckPhish | Check any URL to detect supsicious behavior. |
| CheckPoint Firewall v2 | Use this integration to read information and send commands to the Check Point Firewall server. |
| Cherwell | Cloud-based IT service management solution |
| Chronicle | Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise. |
| CimTrak - System Integrity Assurance | The CimTrak integration helps you detect unexpected system/device/config modifications and automatically respond/react to threats |
| CIRCL | CIRCL Passive DNS is a database storing historical DNS records from various resources. CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. |
| CircleCI | Gets the details of the CircleCI workflows; including the details of the last runs and the jobs, and retrieves the artifacts of the jobs. |
| CIRCLEHashlookup | CIRCL hash lookup is a public API to lookup hash values against known database of files. NSRL RDS database is included and many others are also included. The API is accessible via HTTP ReST API and the API is also described as an OpenAPI. The service is free and served as a best-effort basis. |
| Cisco ASA | Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects. |
| Cisco Email Security Appliance [IronPort] | Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing |
| Cisco Firepower | Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. |
| Cisco ISE | Next-generation secure network access. |
| Cisco Meraki | Cloud controlled WiFi, routing, and security. |
| Cisco Secure Cloud Analytics [Stealthwatch Cloud] | Protect your cloud assets and private network |
| Cisco Secure Malware Analytics Feed | Secure Malware Analytics [formerly Threat Grid] combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. |
| Cisco Secure Network Analytics [Stealthwatch] | Scalable visibility and security analytics. |
| Cisco Threat Grid | Query and upload samples to Cisco threat grid. |
| Cisco Umbrella Cloud Security | Adds domains to Umbrella block list |
| Cisco Umbrella Enforcement | Add and remove domains in Cisco OpenDNS. |
| Cisco Umbrella Investigate | Cisco Umbrella Investigate |
| CiscoEmailSecurity [Beta] | Cisco Email Security is an email security gateway . It detects and blocks a wide variety of email-borne threats, such as malware, spam and phishing. |
| CiscoWSA | Cisco WSA |
| Clarizen IAM | IAM integration for Clarizen. Handles user account auto-provisioning to Clarizen. |
| Claroty | Use the Claroty CTD integration to manage assets and alerts. |
| Cloaken | Unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries. |
| CloudConvert | Use the CloudConvert integration to convert your files to the desired format. |
| Cloudflare Feed | Use the Cloudflare feed integration to fetch indicators from the feed. |
| Cloudflare WAF | Cloudflare WAF integration allows customers to manage firewall rules, filters, and IP-lists. It also allows to retrieve zones list for each account. |
| CloudShare [Beta] | Cloudshare integration. |
| CloudShark | Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system. |
| Code42 | Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments. |
| Cofense Feed | Use the Cofense Feed Integration to fetch indicators from the feed. |
| Cofense Intelligence [Deprecated] | Deprecated. Use Cofense Intelligence v2 instead. Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses. |
| Cofense Intelligence v2 | Use the Cofense Intelligence integration to check the reputation of domains, URLs, IP addresses, file hashes, and email addresses. |
| Cofense Triage [Deprecated] | Deprecated. Use the Cofense Triage v2 integration instead. |
| Cofense Triage v2 | Use the Cofense Triage integration to ingest reported phishing indicators. |
| Cofense Triage v3 | The integration uses the Cofense Triage v2 API that allows users to ingest phishing reports as incident alerts and execute commands such as threat indicators, reporters, categorize reports, and more. |
| Cognni | Autonomous detection and investigation of information security incidents and other potential threats. |
| CohesityHelios | Integrate with Cohesity Helios services to fetch alerts and take remedial action. |
| Confluera | This is the confluera Iq-Hub integration with cortex. |
| Coralogix | Fetch incidents, search for supporting data and tag interesting datapoints in/from your Coralogix account |
| Core Lock | Locking mechanism that prevents concurrent execution of different tasks |
| Core REST API | Use Core REST APIs |
| Cortex Data Lake | Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your organization on premise, virtual [private cloud and public cloud] firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. |
| Cortex XDR - IOC | Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks. |
| Cortex XDR - XQL Query Engine | Cortex XDR - XQL Query Engine enables you to run XQL queries on your data sources. |
| Cortex Xpanse | The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Xpanse issues. It also leverages Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Xpanse Expander and risky flows detected by Xpanse Behavior. |
| CounterCraft Deception Director | CounterCraft Deception Solution detects advanced adversaries. Automate counterintelligence campaigns to discover targeted attacks with real-time active response. |
| CounterTack | CounterTack empowers endpoint security teams to assure endpoint protection for Identifying Cyber Threats. Integrating a predictive endpoint protection platform |
| Covalence For Security Providers | Triggers by any alert from endpoint, cloud, and network security monitoring, with mitigation steps where applicable. Query Covalence for more detail. |
| Covalence Managed Security | Triggers by triaged alerts from endpoint, cloud, and network security monitoring. Contains event details and easy-to-follow mitigation steps. |
| Create Test Incidents | CreateIncidents fetches custom incidents that are created manually. |
| CrowdStrike Falcon | The CrowdStrike Falcon OAuth 2 API [formerly the Falcon Firehose API], enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment. |
| CrowdStrike Falcon Intel [Deprecated] | Deprecated. Use CrowdStrike Falcon Intel v2 integration instead. |
| CrowdStrike Falcon Intel Feed Actors | The CrowdStrike intelligence team tracks the activities of threat actor groups and advanced persistent threats [APTs] to understand as much as possible about their known aliases, targets, methods, and more. This integration retrieves indicators from the CrowdStrike Falcon Intel Feed. |
| CrowdStrike Falcon Intel v2 | CrowdStrike Threat intelligence service integration helps organizations defend themselves against adversary activity by investigating incidents, and accelerating alert triage and response. |
| CrowdStrike Falcon Sandbox [Deprecated] | Deprecated. Use CrowdStrike Falcon Sandbox V2 instead. |
| CrowdStrike Falcon Sandbox v2 [Hybrid-Analysis] | Fully automated malware analysis using Hybrid Analysis API. |
| CrowdStrike Falcon Streaming v2 | Use the CrowdStrike Falcon Stream v2 integration to stream detections and audit security events. |
| CrowdStrike Falcon X | Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports. |
| CrowdStrike Indicator Feed | Retrieves indicators from the CrowdStrike Falcon Intel Feed. |
| CrowdStrike Malquery | Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine. |
| CrowdStrike OpenAPI [Beta] | Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc. |
| Cryptocurrency | Cryptocurrency will help classify Cryptocurrency indicators with the configured score when ingested. |
| Cryptosim | CRYPTOSIM gets correlations and correlation's alerts. Integration fetchs alerts to incident according to instance. |
| CSV Feed | Fetch indicators from a CSV feed. |
| CTIX v3 | This is Cyware Threat Intelligence eXhange[CTIX] integration which enriches IP/Domain/URL/File Data. |
| Cuckoo Sandbox | Malware dynamic analysis sandboxing |
| CustomIndicatorDemo | This is a demo integration that demonstrates the usage of the CustomIndicator helper class. |
| CVE Search v2 | Searches for CVE information using circl.lu. |
| Cyber Triage | Allows you to conduct a mini-forensic investigation on an endpoint. It pushes a collection tool to the remote endpoint, collects volatile and file system data, and analyzes the data. |
| CyberArk AIM [Deprecated] | Deprecated. Use the CyberArk AIM v2 integration instead. |
| CyberArk AIM v2 | The CyberArk Application Identity Manager [AIM] provides a secure safe in which to store your account credentials. Use this integration to retrieve the account credentials in CyberArk AIM. |
| CyberArk Identity Event Collector | This integration collects events from the Idaptive Next-Gen Access [INGA] using REST APIs. |
| CyberArk PAS | Use the CyberArk Privileged Access Security [PAS] solution to manage users, safes, vaults, and accounts from Cortex XSOAR. |
| CyberChef | CyberChef is a web-application developed by GCHQ that's been called the “Cyber Swiss Army Knife”. |
| Cybereason | Endpoint detection and response to manage and query malops, connections and processes. |
| Cyberint | Cyberint provides intelligence-driven digital risk protection. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture. |
| Cyberpion | The Cyberpion integration allows you to seamlessly receive all your Cyberpion security solution Action Items and supportive information to your Cortex XSOAR. |
| Cybersixgill Actionable Alerts | Cybersixgill automatically collects intelligence in real-time on all items that appear in the underground sources which we monitor. By using various rules and machine learning models, Cybersixgill automatically correlates these intelligence items with pre defined organization assets, and automatically alerts users in real time of any relevant intelligence items. |
| Cybersixgill DVE Enrichment | By enriching CVEs with the DVE Score, Cortex XSOAR customers gain deeper visibility with relevant threat intel from the deep and dark web with dynamic attributes such as where they are trending, POC exploit details, and more. Loaded with extra-context, this allows users to accurately understand the real impact of CVEs to effectively prioritize critical vulnerabilities. |
| Cybersixgill DVE Feed Threat Intelligence [Deprecated] | Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get CVE Feed straight into the XSOAR platform. |
| Cybersixgill DVE Feed Threat Intelligence v2 | The Cybersixgill Dynamic Vulnerability Exploit [DVE] Score is based on the most comprehensive collection of vulnerability-related threat intelligence and is the only solution that provides users total context and predicts the immediate risks of a vulnerability based on threat actors’ intent. Cortex XSOAR users can track threats stemming from CVEs that most others define as irrelevant and have a higher probability of being exploited via their Cortex XSOAR dashboard. |
| CyberTotal | CyberTotal is a cloud-based threat intelligence service developed by CyCraft. |
| Cyble Events | Cyble Events for Vision Users. Must have Vision API access to use the threat intelligence. |
| Cyble Threat Intel | Cyble Threat Intelligence for Vision Users. Must have access to Cyble TAXII Feed to access the threat intelligence. |
| Cyjax Feed | The feed allows customers to pull indicators of compromise from cyber incidents [IP addresses, URLs, domains, CVE and file hashes] |
| Cylance Protect v2 | Manage Endpoints using Cylance protect |
| Cymptom | Cymptom is a Breach and Attack Simulation solution that revolutionizes the existing approach by transforming attack simulation into a data analysis question. Cymptom agentless scanning brings real-time always-on visibility into the entire security posture. |
| Cymulate | Multi-Vector Cyber Attack, Breach and Attack Simulation |
| Cymulate v2 | Multi-Vector Cyber Attack, Breach and Attack Simulation. |
| Cyren Inbox Security | Cyren Inbox Security is an innovative solution that safeguards Office 365 mailboxes in your organization against evasive phishing, business email compromise [BEC], and fraud. This integration imports incidents from Cyren Inbox Security into XSOAR, and includes a playbook for incident resolution. |
| Cyren Threat InDepth Threat Intelligence Feed | Threat InDepth's actionable and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats faster than other security vendors. |
| Cyware Threat Intelligence eXchange | This is Cyware Threat Intelligence eXhange[CTIX] integration which enriches IP/Domain/URL/File Data. |
| Darktrace | Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate. |
| DB2 | Integration to provide connectivity to IBM DB2 using the python ibm_db2 library. |
| Deep Instinct | The Deep Learning cybersecurity platform, for zero time prevention. |
| DeepInstinct v3 | Deep Instinct is a prevention-first approach to stopping ransomware and other malware using the world's first purpose-built, deep learning cybersecurity framework. |
| DeepL | This integration uses DeepL [//www.deepl.com/] to translate text or files |
| DeHashed | This integration allows you to check if your personal information such as your email, username, or password is being compromised. |
| Dell Secureworks | Provides access to the Secureworks CTP ticketing system |
| Demisto Lock | Locking mechanism that prevents concurrent execution of different tasks |
| Demisto REST API | Use Demisto REST APIs |
| Devo [Deprecated] | Deprecated. Use the Devo v2 integration instead. |
| Devo v2 | Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables. |
| DHS Feed | The Cybersecurity and Infrastructure Security Agency’s [CISA’s] free Automated Indicator Sharing [AIS] capability enables the exchange of cyber threat indicators, at machine speed, to the Federal Government community. |
| Digital Defense FrontlineVM | Use the Digital Defense FrontlineVM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations. |
| Digital Guardian | Use Digital Guardian Integration to fetch incidents and to programmatically add or remove entries from watchlists and component lists. |
| Digital Shadows | Digital Shadows monitors and manages an organization's digital risk across the widest range of data sources within the open, deep, and dark web. |
| DNSOverHttps | Query dns names over https from Cloudflare or Google |
| dnstwist | Use the DNSTwist integration to detect typosquatting, phishing, and corporate espionage. |
| Docker Engine API | The Engine API is an HTTP API served by Docker Engine. It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API. |
| DomainTools | Domain name, DNS and Internet OSINT-based cyber threat intelligence and cybercrime forensics products and data |
| DomainTools Iris | A threat intelligence and investigation platform for domain names, IP addresses, email addresses, name servers and so on. |
| Dragos Worldview | Custom integration designed to pull in reports from the Dragos Worldview API as incidents |
| Drift | Drift integration to fetch, modify, create and delete contacts within the Drift Plattform's Contact API. |
| Dropbox Event Collector | Collect events from Dropbox's logs. |
| Druva Ransomware Response | Druva Ransomware Response Integration provides ransomware protection for endpoints, SaaS applications and data center workloads for Druva Ransomware Recovery customers. |
| DShield Feed | This integration fetches a list that summarizes the top 20 attacking class C [/24] subnets over the last three days from Dshield. |
| Duo | DUO authentication service. |
| DUO Admin | DUO for admins. Must have access to the admin api in order to use this. |
| Duo Event Collector | Collects Auth and Audit events for Duo using the API. |
| EasyVista | EasyVista Service Manager manages the entire process of designing, managing and delivering IT services. |
| EclecticIQ Platform | Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships. |
| Edgescan | Cloud-based continuous vulnerability management and penetration testing solution. |
| Elasticsearch Feed | Fetches indicators stored in an Elasticsearch database. |
| Elasticsearch v2 | Search for and analyze data in real time. Supports version 6 and later. |
| EmailRep.io | Provides email address reputation and reports. |
| Endace | The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture on network links up to 100Gbps, with unparalleled depth of storage and retrieval performance. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows. |
| Envoy IAM | Integrate with Envoy Identity Access Management services to execute CRUD operations to employee lifecycle processes. |
| EWS Extension Online Powershell v2 | Use the EWS Extension Online Powershell v2 integration to get information about mailboxes and users in your organization. This integration can also retrieve and modify Tenant Allow/Block Lists. |
| EWS Mail Sender | Exchange Web Services mail sender. Note: this integration supports Office 365 basic authentication only. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication [oauth2]. |
| EWS O365 | The new EWS O365 integration uses OAuth 2.0 protocol and can be used with Exchange Online and Office 365 [mail]. |
| EWS v2 | Exchange Web Services and Office 365 [mail] |
| Exabeam | The Exabeam Security Management Platform provides end-to-end detection, User Event Behavioral Analytics, and SOAR. |
| ExceedLMS IAM | Integrate with Exceed LMS Identity Access Management services to execute CRUD operations to employee lifecycle processes. |
| Exchange 2016 Compliance Search | Exchange Server 2016 Compliance Search enables you to search for and delete an email message from all mailboxes in your organization. |
| Expanse [Deprecated] | Deprecated. Use the Expanse v2 integration instead. The Expanse App for Demisto leverages the Expander API to retrieve network exposures and risky flows to create incidents in Demisto. This application also allows for IP, Domain, Certificate, Behavior, and Exposure enrichment, retrieving assets and exposures information drawn from Expanse’s unparalleled view of the Internet. |
| Expanse Expander Feed | Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database. |
| Export Indicators Service [Deprecated] | Deprecated. Use the Generic Export Indicators Service integration instead. Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. |
| Exterro FTK | Use the Exterro FTK integration to protect against and provide additional visibility into phishing and other malicious email attacks. |
| ExtraHop Reveal[x] v2 | Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response. |
| F5 Application Security Manager [WAF] | Manages F5 firewall |
| F5 firewall | Manages F5 firewall rules |
| F5 LTM | Manages F5 LTM |
| F5 Silverline | F5 Silverline Threat Intelligence is a cloud-based service incorporating external IP reputation and reducing threat-based communications. By identifying IP addresses and security categories associated with malicious activity, this managed service integrates dynamic lists of threatening IP addresses with the Silverline cloud-based platform, adding context-based security to policy decisions. |
| FalconHost [Deprecated] | Deprecated. Use the CrowdStrike Falcon integration instead. |
| Farsight DNSDB | Query Farsight DNSDB service |
| Farsight DNSDB v2 | Farsight Security DNSDB DNSDB is a Passive DNS [pDNS] historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure DNSDB leverages the richness of Farsight’s Security Information Exchange [SIE] data-sharing platform and is engineered and operated by leading DNS experts. |
| Fastly Feed | Use Fastly Feed to get assigned CIDRs and add them to your firewall's allowlist in order to enable using Fastly's services. |
| Feodo Tracker IP Blocklist Feed | Gets a list of bad IPs from Feodo Tracker. |
| Fidelis EDR | Use the Fidelis Endpoint integration for advanced endpoint detection and response [EDR] across Windows, Mac and Linux OSes for faster threat remediation. |
| Fidelis Elevate Network | Automate Detection and Response to Network Threats and data leakage in your organization with Fidelis Elevate Network Integration. |
| FileOrbis | Manage FileOrbis operations. |
| FireEye [AX Series] | Perform malware dynamic analysis |
| FireEye Central Management | FireEye Central Management [CM Series] is the FireEye threat intelligence hub. It services the FireEye ecosystem, ensuring that FireEye products share the latest intelligence and correlate across attack vectors to detect and prevent cyber attacks |
| FireEye Detection on Demand | FireEye Detection On Demand is a threat detection service delivered as an API for integration into the SOC workflow, SIEM analytics, data repositories, or web applications, etc. It delivers flexible file and content analysis to identify malicious behavior wherever the enterprise needs it. |
| FireEye Email Security | FireEye Email Security [EX] series protects against breaches caused by advanced email attacks. |
| FireEye Endpoint Security [HX] v2 | FireEye Endpoint Security is an integrated solution that detects and protects endpoints against known and unknown threats. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. You can extract critical data and effectively operate the security operations automated playbook. |
| FireEye ETP | FireEye Email Threat Prevention [ETP Cloud] is a cloud-based platform that protects against advanced email attacks. |
| FireEye Feed | FireEye Intelligence Feed Integration. |
| FireEye Helix | FireEye Helix is a security operations platform. FireEye Helix integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting. |
| FireEye HX [Deprecated] | Deprecated. Use FireEyeHX v2 instead. |
| FireEye NX | FireEye Network Security is an effective cyber threat protection solution that helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted, and other evasive attacks hiding in internet traffic. |
| Flashpoint | Use the Flashpoint integration to reduce business risk. Flashpoint allows users to ingest alerts and compromised credentials as incident alerts and executes commands such as search intelligence report, ip, url, get events, and more. |
| Flashpoint Feed | Flashpoint Feed Integration allows importing indicators of compromise that occur in the context of an event on the Flashpoint platform which contains finished intelligence reports data, data from illicit forums, marketplaces, chat services, blogs, paste sites, technical data, card shops, and vulnerabilities. The indicators of compromise are ingested as indicators on the Cortex XSOAR and displayed in the War Room using a command. |
| Forcepoint | Advanced threat protection with added local management controls. |
| Forescout CounterACT | Unified device visibility and control platform for IT and OT Security. |
| Forescout EyeInspect | Delivers flexible and scalable OT/ICS asset visibility. |
| FortiAuthenticator | This integration allows you to manage the user configuration on FortiAuthenticator. |
| FortiGate | Manage FortiGate Firewall |
| FortiManager | FortiManager is a single console central management system that manages Fortinet devices. |
| FortiSandbox | FortiSandbox integration is used to submit files to FortiSandbox for malware analysis and retrieving the report of the analysis. It can also provide file rating based on hashes for already scanned files. |
| FortiSIEM | Search and update events of FortiSIEM and manage resource lists. |
| FortiSIEM v2 | Use FortiSIEM v2 to fetch and update incidents, search events and manage watchlists of FortiSIEM. |
| FraudWatch | Manage incidents via the Fraudwatch API. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management & monitoring, as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse. |
| Freshdesk | The Freshdesk integration allows you to create, update, and delete tickets; reply to and create notes for tickets as well as view Groups, Agents and Contacts. |
| G Suite Admin | G Suite or Google Workspace Admin is an integration to perform an action on IT infrastructure, create users, update settings, and more administrative tasks. |
| G Suite Auditor | G Suite Auditor is an integration that receives Audit logs from G Suite's different applications - admin, drive, calender, and more. |
| G Suite Security Alert Center | G Suite Security Alert Center allows users to fetch different alert types such as Suspicious login, Device compromised, Leaked password, and more. Users can delete or recover a single alert or a batch of alerts and retrieve the alert's metadata. This integration allows users to provide feedback for alerts and fetch existing feedback for a particular alert. |
| Gamma | Query and update violations in Gamma |
| GCP Whitelist Feed [Deprecated] | Deprecated. Use the Google IP Ranges Feed integration instead. |
| GCP-IAM | Manage identity and access control for Google Cloud Platform resources. |
| Generic Export Indicators Service | Use the Generic Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators. |
| Generic SQL | Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle. |
| Generic Webhook | The Generic Webhook integration is used to create incidents on event triggers. The trigger can be any query posted to the integration. |
| Genians | Use the Genian NAC integration to block IP addresses using the assign tag. |
| Gigamon ThreatINSIGHT | Gigamon ThreatINSIGHT is a cloud-native network detection and response solution built for the rapid detection of threat activity, investigation of suspicious behavior, proactive hunting for potential risks, and directing a fast and effective response to active threats. |
| GitHub | Integration to GitHub API |
| Github Event Collector | Github logs event collector integration for XSIAM. |
| GitHub IAM | Integrate with GitHub services to perform Identity Lifecycle Management operations. |
| GitLab | An integration with GitLab. |
| GitLab Event Collector | |
| GLIMPS Detect | Use the GLIMPS Detect Integration to send files to GLIMPS Malware and get results from it |
| GLPI | GLPI open source ITSM solution |
| Gmail | Gmail API and user management [This integration replaces the Gmail functionality in the GoogleApps API and G Suite integration]. |
| Gmail Single User | Gmail API using OAuth 2.0. |
| Google BigQuery | Integration for Google BigQuery, a data warehouse for querying and analyzing large databases. In all commands, for any argument not specified, the BigQuery default value for that argument will be applied. |
| Google Calendar | Google Calendar is a time-management and scheduling calendar service developed by Google. This integration helps you to perform various tasks on the access control list [ACL]. |
| Google Cloud Compute | Google Compute Engine delivers virtual machines running in Google's innovative data centers and worldwide fiber network. Compute Engine's tooling and workflow support enable scaling from single instances to global, load-balanced cloud computing. |
| Google Cloud Functions | Google Cloud Functions is an event-driven serverless compute platform that enables you to run your code locally or in the cloud without having to provision servers. |
| Google Cloud Pub/Sub | Google Cloud Pub/Sub is a fully-managed real-time messaging service that enables you to send and receive messages between independent applications. |
| Google Cloud SCC | Security Command Center is a security and risk management platform for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory and discovery, identifying vulnerabilities and threats, and helping you mitigate and remediate risks across an organization. This integration helps you to perform tasks related to findings and assets. |
| Google Cloud Storage | Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure. |
| Google Cloud Translate | A Google API cloud based translation service. |
| Google Docs | Use the Google Docs integration to create and modify Google Docs documents. |
| Google Dorking | Automate the process of google dorking searches in order to detect leaked data. |
| Google Drive | Google Drive allows users to store files on their servers, synchronize files across devices, and share files. This integration helps you to create a new drive, query past activity, and view change logs performed by the users. |
| Google IP Ranges Feed | Use the Google IP Ranges integration to get GCP and Google global IP ranges. |
| Google Key Management Service | Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality. |
| Google Kubernetes Engine | The Google Kubernetes Engine integration is used for building and managing container based applications in Google Cloud Platform [GCP], powered by the open source Kubernetes technology. |
| Google Maps | Use the Google Maps API. |
| Google Resource Manager | Google Cloud Platform Resource Manager |
| Google Safe Browsing [Deprecated] | Deprecated. Use Google Safe Browsing v2 instead. |
| Google Safe Browsing v2 | Search Safe Browsing, The Safe Browsing APIs [v4] let your client applications check URLs against Google's constantly updated lists of unsafe web resources. |
| Google Sheets | Google Sheets is a spreadsheet program that is part of the free web-based Google applications to create and format spreadsheets. Use this integration to create and modify spreadsheets. |
| Google Vault | Archiving and eDiscovery for G Suite. |
| Google Vision AI | Image processing with Google Vision API |
| GoogleApps API and G Suite | Send messages and notifications to your Mattermost Team. |
| Gophish | Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. For Free |
| Grafana | Grafana alerting service. |
| GraphQL | The Generic GraphQL client can interact with any GraphQL server API. |
| Graylog | Integration with Graylog to search for logs and events |
| GreatHorn | The only cloud-native security platform that stops targeted social engineering and phishing attacks on cloud email platforms like Office 365 and G Suite. |
| GreyNoise | GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. |
| GreyNoise Community | GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This Integration is design specifically for GreyNoise Community users and only provides the subset of intel available via the GreyNoise Community API. |
| Group-IB THF Polygon | THF Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. THF Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks [like smtp-based mail filtering] and analytical purposes [files/urls analysis for verdict, report and indicators]. |
| Group-IB Threat Intelligence & Attribution | Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware. |
| Group-IB Threat Intelligence & Attribution Feed | Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. |
| GRR | Use GRR Rapid Response framework |
| GuardiCore | Data center breach detection |
| GuardiCore v2 | GuardiCore v2 Integration enables you to get information about incidents and endpoints [assets] via the GuardiCore API. |
| Gurucul-GRA | Gurucul Risk Analytics [GRA] is a Unified Security and Risk Analytics platform. |
| HackerOne | HackerOne integration allows users to fetch reports by using the fetch incidents capability. It also provides commands to retrieve all the reports and programs. |
| Hackuity | From a war-room, query your Hackuity cockpit in order to seamlessly retrieve information related to your vulnerability stock. |
| HarfangLab EDR | HarfangLab EDR Connector, Compatible version 2.13.7+ |
| HashiCorp Vault | Manage Secrets and Protect Sensitive Data through HashiCorp Vault |
| Hatching Triage | Submit a high volume of samples to run in a sandbox and view reports |
| Have I Been Pwned? v2 | Uses the Have I Been Pwned? service to check whether email addresses, domains, or usernames were compromised in previous breaches. |
| HelloWorld | This is the Hello World integration for getting started. |
| HelloWorld Feed | This is the Feed Hello World integration for getting started with your feed integration. |
| HelloWorldPremium | This is the Hello World Premium integration for getting started |
| HostIo | Use the HostIo integration to enrich domains using the Host.io API. |
| HPE Aruba ClearPass | Aruba ClearPass Policy Manager provides role and device-based network access control for employees, contractors, and guests across any multi-vendor wired, wireless, and VPN infrastructure. |
| Humio | Integration with Humio |
| HYAS Insight | Use the HYAS Insight integration to interactively lookup PassiveDNS, DynamicDNS, WHOIS, Malware and C2 Attribution Information – either as playbook tasks or through API calls in the War Room. |
| HYAS Protect | Use the HYAS Protect integration to get the verdict information for FQDN, IP Address and NameServer – either as playbook tasks or through API calls in the War Room. |
| Hybrid Analysis [Deprecated] | Deprecated. Use CrowdStrike Falcon Sandbox v2 instead. |
| IBM QRadar [Deprecated] | Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead. |
| IBM QRadar v2 [Deprecated] | Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSOAR. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields. |
| IBM QRadar v3 | IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. |
| IBM Resilient Systems | Case management that enables visibility across your tools for continual IR improvement. |
| IBM X-Force Exchange v2 | IBM X-Force Exchange lets you receive threat intelligence about applications, IP addresses, URls and hashes |
| iboss | Manage block lists, manage allow lists, and perform domain, IP, and/or URL reputation and categorization lookups. |
| Icebrg | Reduces risk by accelerating threat detection, triage, and response to rapidly-evolving breaches across global networks. |
| iDefense [Deprecated] | Deprecated. Use the iDefense v2 integration instead. |
| iLert | Alert and notify users using iLert |
| illuminate [Deprecated] | Deprecated. Use Analyst1 integration instead. |
| IllusiveNetworks | The Illusive Attack Management API allows customers to retrieve detected incidents with a forensics timeline, attack surface insights, collect forensics on-demand, and manage a variety of operations with regard to deceptive entities, deception policies, and more. |
| Image OCR | Extracts text from images. |
| Imperva WAF | Use the Imperva WAF integration to manage IP groups and web security policies in Imperva WAF. |
| Indeni | Indeni is a turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes. |
| Indicators detection | The Cortex Core - IOCs integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks. |
| Infinipoint | Use the Infinipoint integration to retrieve security and policy incompliance events, vulnerabilities or incidents. Investigate and respond to events in real-time. |
| InfoArmor VigilanteATI | VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team. |
| Infoblox | Infoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. It defines RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses. |
| Infocyte | Infocyte can pivot off incidents to automate triage, validate events with forensic data and enabling dynamic response actions against any or all host using both agentless or agented endpoint access. |
| Intel471 Actors Feed [Deprecated] | Deprecated. To be replaced by use case centric functionality. No available replacement. |
| Intel471 Malware Feed [Deprecated] | Deprecated. Use Intel471 Malware Indicator Feed instead. |
| Intel471 Malware Indicator Feed | "Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports. This feed allows customers to block and gain an understanding of the latest crimeware campaigns and is for those that value timeliness, confidence [little to no false positives], and seek rich context and insight around the attacks they are seeing." |
| Intel471 Watcher Alerts | 'Intel 471's watcher alerts provide a mechanism by which customers can be notified in a timely manner of Titan content that is most relevant to them.' |
| Intezer v2 | Malware detection and analysis based on code reuse |
| IntSights | Use IntSights to manage and mitigate threats. |
| Investigation & Response | The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks. |
| IP-API | This integration will enrich IP addresses from IP-API with data about the geolocation, as well as a determination of the IP address being associated with a mobile device, hosting or proxy. Revers DNS is also returned. This service is available for free [with a throttle] - or paid. |
| ipinfo [Deprecated] | Deprecated. Use IPinfo v2 instead. Use the ipinfo.io API to get data about an IP address |
| IPinfo v2 | Use the IPinfo.io API to get data about an IP address. |
| IPQualityScore | Proactively Prevent Fraud |
| ipstack | One of the leading IP to geolocation APIs and global IP database services. |
| IronDefense | The IronDefense Integration for Cortex XSOAR allows users to interact with IronDefense alerts within Cortex XSOAR. The Integration provides the ability to rate alerts, update alert statuses, add comments to alerts, to report observed bad activity, get alerts, get events, and get IronDome information. |
| Ironscales | IRONSCALES, a self-learning email security platform integration |
| Ivanti Heat | Use the Ivanti Heat integration to manage issues and create Cortex XSOAR incidents from Ivanti Heat. |
| Ja3er | Query the ja3er API for MD5 hashes of JA3 fingerprints. |
| JAMF v2 | Enterprise Mobility Management [EMM] for Apple devices [Mac, iPhone, Apple TV, iPad]. Can be used to control various configurations via different policies, install and uninstall applications, lock devices, smart groups searches, and more. |
| JARM | Active TLS fingerprinting using JARM |
| Jask [Deprecated] | Deprecated. Use Sumo Logic Cloud SIEM instead. Freeing the analyst with autonomous decisions. |
| Jira Event Collector | Jira logs event collector integration for Cortex XSIAM. |
| Joe Security | Sandbox Cloud |
| JSON Feed | Fetches indicators from a JSON feed. |
| JSON Sample Incident Generator | A utility for testing incident fetching with mock JSON data. |
| JsonWhoIs | Provides data enrichment for domains and IP addresses. |
| JWT | JSON Web Token [JWT] is a compact, URL-safe means of representing claims to be transferred between two parties. This Integration can be used to Generate New JWT Tokens, Encode and Decode Existing Ones. |
| Kafka v2 [Deprecated] | Deprecated. Use the Kafka v3 integration instead. The Open source distributed streaming platform. |
| Kafka v3 | Kafka is an open source distributed streaming platform. |
| Kaspersky Security Center [Beta] | Manages endpoints and groups through the Kaspersky Security Center. |
| Keeper Secrets Manager | Use the Keeper Secrets Manager integration to manage secrets and protect sensitive data through Keeper Vault. |
| Kenna v2 | Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes. |
| KnowBe4 KMSAT Event Collector | KnowBe4_KMSAT allows you to push and pull your external data to and from the KnowBe4 console. |
| Lacework | Lacework provides end-to-end cloud security automation for AWS, Azure, and GCP with a comprehensive view of risks across cloud workloads and containers. |
| Lansweeper | The Lansweeper integration allows users to retrieve the asset details. |
| Lastline v2 | Use the Lastline v2 integration to provide threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior. |
| LDAP Authentication | Authenticate using OpenLDAP or Active Directory. |
| LGTM | An Integration with LGTM API |
| LINENotify | LINE API Integration is used for sending a message to LINE Group. |
| Linkshadow | Fetch Network Anomalies data from LinkShadow and execute the remediation Actions. |
| Linux | Agentlesss Linux host management over SSH |
| Lockpath KeyLight v2 | Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform. |
| LogPoint SIEM Integration | Use this Content Pack to search logs, fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time. |
| LogRhythm [Deprecated] | Deprecated. Use the LogRhythmRest v2 integration instead. |
| LogRhythmRest | LogRhythm security intelligence. |
| LogRhythmRest v2 | LogRhythm security intelligence. |
| LogsignSiem | Logsign SIEM provides to collect and store unlimited data, investigate and detect threats, and respond automatically. |
| Logz.io | Fetch & remediate security incidents identified by Logz.io Cloud SIEM |
| Looker | Use the Looker integration to query an explore, save queries as looks, run looks, and fetch look results as incidents. |
| Luminar IOCs & leaked credentials | This connector allows integration of intelligence-based IOC data and customer-related leaked records identified by Luminar. |
| MAC Vendors | Query MAC Vendors for vendor names when providing a MAC address. MAC Vendors maintains a list of vendors provided directly from the IEEE Standards Association and is updated multiple times each day. The IEEE is the registration authority and provides data on over 16,500 registered vendors. |
| Mail Listener v2 | Listens to a mailbox and enables incident triggering via e-mail. |
| Mail Sender [New] | Send emails implemented in Python with embedded image support |
| MailListener - POP3 | Listen to a mailbox, enable incident triggering via e-mail |
| Majestic Million Feed | Free search and download of the top million websites. |
| Maltiverse | Use the Maltiverse integration to analyze suspicious hashes, URLs, domains and IP addresses. |
| MalwareBazaar | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the Infosec community, AV vendors, and threat intelligence providers. |
| MalwareBazaar Feed | Use the MalwareBazaar Feed integration to get the list of malware samples added to MalwareBazaar within the last 60 minutes. |
| Malwarebytes | Scan and Remediate threats on endpoints in the Malwarebytes cloud. |
| Malwation AIMA | Malwation AIMA malware analysis sandboxing. |
| ManageEngine PAM360 | Integration to fetch passwords from the PAM360 repository, and to manage accounts, resources, and privileged credentials. |
| Mandiant Advantage Feed | Retrieves indicators from the Mandiant Advantage Feed. |
| Mandiant Automated Defense [Formerly Respond Software] | Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within XSOAR are reflected in Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled. |
| Mattermost | Send messages and notifications to your Mattermost Team. |
| MaxMind GeoIP2 | Enriches IP addresses |
| McAfee Active Response | Connect to MAR using its DXL client |
| McAfee Advanced Threat Defense | Integrated advanced threat detection: Enhancing protection from network edge to endpoint |
| McAfee DAM | McAfee Database Activity Monitoring |
| McAfee DXL | McAfee DXL client |
| McAfee ePO [Deprecated] | Deprecated. Use McAfee ePO v2 instead. |
| McAfee ePO v2 | McAfee ePolicy Orchestrator |
| McAfee ESM v10 and v11 [Deprecated] | Deprecated. Use the McAfee ESM v2 integration instead. |
| McAfee ESM v2 | This integration runs queries and receives alarms from McAfee Enterprise Security Manager [ESM]. Supports version 10 and above. |
| McAfee NSM | McAfee Network Security Manager |
| McAfee Threat Intelligence Exchange | Connect to McAfee TIE using the McAfee DXL client. |
| Micro Focus Service Manager | Service Manager By Micro Focus [Formerly HPE Software]. |
| MicroFocus SMAX | Fetch SMAX cases and automate differen SMAX case management actions |
| Microsoft 365 Defender | Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |
| Microsoft 365 Defender Event Collector | Microsoft 365 Defender Event Collector integration. |
| Microsoft Advanced Threat Analytics | Use Microsoft Advanced Threat Analytics integration to manage suspicious activities, monitoring alerts and entities. |
| Microsoft Cloud App Security | Microsoft Cloud App Security is a multimode Cloud Access Security Broker [CASB]. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services. Use the integration to view and resolve alerts, view activities, view files, and view user accounts. |
| Microsoft Defender for Cloud Apps Event Collector | Collects the events log for alerts and activities provided Microsoft Defender for Cloud Apps API. |
| Microsoft Defender for Endpoint | Microsoft Defender for Endpoint [previously Microsoft Defender Advanced Threat Protection [ATP]] is a unified platform for preventative protection, post-breach detection, automated investigation, and response. |
| Microsoft Endpoint Configuration Manager | The Microsoft Endpoint Configuration Manager provides the overall Configuration Management [CM] infrastructure and environment to the product development team [formerly known as SCCM]. |
| Microsoft Endpoint Manager [Intune] | Microsoft Intune is a Microsoft cloud-based management solution that provides for mobile device and operating system management. |
| Microsoft Graph API | Use the Microsoft Graph API integration to interact with Microsoft APIs that do not have dedicated integrations in Cortex XSOAR, for example, Mail Single-User, etc. |
| Microsoft Graph Mail Single User | Microsoft Graph grants Cortex XSOAR authorized access to a user's Microsoft Outlook mail data in a personal account or organization account. |
| Microsoft Graph Security | Unified gateway to security insights - all from a unified Microsoft Graph Security API. |
| Microsoft Intune Feed | Use the Microsoft Intune Feed integration to get indicators from the feed. |
| Microsoft Management Activity API [O365 Azure Events] | The Microsoft Management Activity API integration enables you to subscribe or unsubscribe to different audits, receive their content, and fetch new content as incidents. |
| Microsoft Policy And Compliance [Audit Log] | Use the integration to get logs from the O365 service. |
| Microsoft Teams | Send messages and notifications to your team members. |
| Microsoft Teams Management | Manage teams and members in Microsoft Teams. |
| Microsoft Teams via Webhook | Integration for sending notifications to a Microsoft Teams channel via Incoming Webhook. |
| Mimecast Event Collector | |
| Mimecast v2 | Mimecast unified email management offers cloud email services for email security, continuity and archiving emails. Please read detailed instructions in order to understand how to set the integration's parameters. |
| Minerva Labs Anti-Evasion Platform | Minerva eliminates the endpoint security gap while empowering companies to embrace technology fearlessly. |
| MinIO | An Integration with MinIO Object Storage |
| MISP Feed | Indicators feed from MISP |
| MISP v2 [Deprecated] | Deprecated. Use the MISP v3 integration instead. |
| MISP v3 | Malware information sharing platform and threat sharing. |
| MITRE ATT&CK | Use the MITRE ATT&CK® feed to fetch MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK®] content. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. |
| MITRE IDs Feed [Deprecated] | Deprecated. Use MITRE ATT&CK Feed v2 instead. |
| MitreCaldera | Mitre Caldera can be used to test endpoint security solutions and assess a network's security posture against the common post-compromise adversarial techniques contained in the ATT&CK model. CALDERA leverages the ATT&CK model to identify and replicate adversary behaviors as if a real intrusion is occurring. |
| mnemonic MDR - Argus Managed Defence | Rapidly detect, analyse and respond to security threats with mnemonic’s leading Managed Detection and Response [MDR] service. |
| MobileIronCLOUD | MobileIron Cloud Integration |
| MobileIronCORE | MobileIron CORE Integration |
| Moloch [Deprecated] | Deprecated. Use Arkime instead. |
| MongoDB | Use the MongoDB integration to search and query entries in your MongoDB. |
| MongoDB Key Value Store | Manipulates key/value pairs according to an incident utilizing the MongoDB collection. |
| MongoDB Log | Writes log data to a MongoDB collection. |
| MS-ISAC | This API queries alerts and alert data from the MS-ISAC API to enrich and query alerts from the platform |
| National Vulnerability Database | CVE feed from the National Vulnerability Database |
| Ncurion | This is the Ncurion integration for getting started. |
| Netcraft | An integration for Netcraft, allowing you to open and handle takedown requests. |
| Netscout Arbor Edge Defense | Use the Netscout Arbor Edge Defense integration to detect and stop both inbound threats and outbound malicious communication from compromised internal devices. |
| Netscout Arbor Sightline [Peakflow] | DDoS protection and network visibility. |
| Netskope [API v1] | Get alerts and events, manage quarantine files as well as URL and hash lists using Netskope API v1. |
| Netskope [API v2] | Block URLs, domains and file hashes. |
| Netskope [Deprecated] | Cloud access security broker that enables to find, understand, and secure cloud apps. Deprecated. Use Netskope [API v1] instead. |
| Netskope Event Collector | Netskope Event Collector integration. |
| Nexthink | Nexthink helps IT teams deliver on the promise of the modern digital workplace. Nexthink is the only solution to provide enterprises with a way to visualize, act and engage across the entire IT ecosystem to lower IT cost and improve digital employee experience. |
| nmap | Run nmap scans with the given parameters |
| Nozomi Networks | The Nozomi Networks Guardian platform is a hardware or virtual appliance that is used to monitor OT/IoT/IT networks. It combines asset discovery, network visualization, vulnerability assessment, risk monitoring and threat detection in a single solution. This integration is used to gather alerts and assets information from Nozomi. |
| NTT Cyber Threat Sensor | Retrieve alerts and recommendations from NTT CTS |
| NucleonCyberFeed | This is the NucleonCyber Feed integration |
| Nutanix Hypervisor | Nutanix Hypervisor abstracts and isolates the VMs and their programs from the underlying server hardware, enabling a more efficient use of physical resources, simpler maintenance and operations, and reduced costs. |
| O365 - EWS - Extension | This integration enables you to manage and interact with Microsoft O365 - Exchange Online from within XSOAR. |
| O365 - Security And Compliance - Content Search | This integration allows you to manage and interact with Microsoft security and compliance content search. |
| O365 Defender SafeLinks | Provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. |
| O365 Defender SafeLinks - Single User | Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations. |
| O365 File Management [Onedrive/Sharepoint/Teams] | Use the O365 File Management [Onedrive/Sharepoint/Teams] integration to enable your app to get authorized access to files in OneDrive, SharePoint, and MS Teams across your entire organization. This integration requires admin consent. |
| O365 Outlook Calendar | O365 Outlook Calendar enables you to create and manage different calendars and events according to your requirements. |
| O365 Outlook Mail [Using Graph API] | Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account. |
| OctoxLabs | Octox Labs Cyber Security Asset Management platform |
| Office 365 Feed | The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list [allow list, block list, EDL, etc.] for your SIEM or firewall service to ingest and apply to its policy rules. |
| okta [Deprecated] | Deprecated. Use the Okta v2 integration instead. |
| Okta Event Collector | Collects the events log for authentication and Audit provided by Okta admin API. |
| Okta IAM | Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes. |
| Okta v2 | Integration with Okta's cloud-based identity management service. |
| OpenCTI | Manages indicators from OpenCTI. Compatible with OpenCTI 4.X API version. |
| OpenCTI Feed 3.X | Ingest indicators from the OpenCTI feed. Compatible with OpenCTI 3.X API version. |
| OpenCTI Feed 4.X | Ingest indicators from the OpenCTI feed. Compatible with OpenCTI 4.X API version. |
| OpenPhish v2 | OpenPhish uses proprietary Artificial Intelligence algorithms to automatically identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence. |
| OPNSense | Manage OPNsense Firewall. For more information see OPNsense documentation. OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. |
| OpsGenie [Deprecated] | Deprecated. Use the OpsGenie v3 integration instead |
| Opsgenie v2 | Integration with Atlassian OpsGenie V2 |
| OpsGenie v3 | Integration with Atlassian OpsGenie. OpsGenie is a cloud-based service that enables operations teams to manage alerts generated by monitoring tools to ensure the right people are notified, and the problems are addressed in a timely manner. |
| Oracle IAM | Integrate with Oracle's services to execute CRUD and Group operations for employee lifecycle processes. |
| Orca | Agentless, Workload-Deep, Context-Aware Security and Compliance for AWS, Azure, and GCP. |
| OSV | OSV [Open Source Vulnerability] is a vulnerability database for open source projects. For each vulnerability, it perform bisects to figure out the exact commit that introduces the bug, as well the exact commit that fixes it. This is cross referenced against upstream repositories to figure out the affected tags and commit ranges |
| OTRS | Service management suite that comprises ticketing, workflow automation, and notification. |
| Packetsled | Packetsled Network Security API commands |
| PagerDuty v2 | Alert and notify users using PagerDuty |
| Palo Alto AutoFocus [Deprecated] | Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks. |
| Palo Alto Networks - Prisma Cloud Compute | Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment. |
| Palo Alto Networks AutoFocus v2 | Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks. |
| Palo Alto Networks Automatic SLR | Allow XSOAR to automatically generate Security Lifecycle Review's [SLR's] |
| Palo Alto Networks BPA | Palo Alto Networks Best Practice Assessment [BPA] analyzes NGFW and Panorama configurations and compares them to the best practices. |
| Palo Alto Networks Cortex [Deprecated] | Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products |
| Palo Alto Networks Cortex XDR - Investigation and Response | Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. |
| Palo Alto Networks Enterprise DLP | Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity. |
| Palo Alto Networks IoT | This is the Palo Alto Networks IoT integration [previously Zingbox]. |
| Palo Alto Networks IoT 3rd Party | Base Integration for Palo Alto IoT third party integrations. This integration communicates with Palo Alto IoT Cloud to get alerts, vulnerabilities and devices. |
| Palo Alto Networks MineMeld [Deprecated] | Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence. |
| Palo Alto Networks PAN-OS | Manage Palo Alto Networks Firewall and Panorama. For more information see Panorama documentation. |
| Palo Alto Networks PAN-OS EDL Management [Deprecated] | Deprecated. Use the Generic Export Indicators Service integration instead. This integration is still supported however, for customers with over 1000 Firewalls. |
| Palo Alto Networks Security Advisories [Beta] | Queries the public repository of PAN-OS CVEs. |
| Palo Alto Networks Threat Vault [Deprecated] | Deprecated. No available replacement. |
| Palo Alto Networks Traps [Deprecated] | Deprecated. Use CortexXDR instead. |
| Palo Alto Networks WildFire Reports | Generates a Palo Alto Networks WildFire PDF report. For internal use with the TIM Sample Analysis feature. |
| Palo Alto Networks WildFire v2 | Perform malware dynamic analysis |
| PAN-OS Policy Optimizer | Automate your AppID Adoption by using this integration together with your Palo Alto Networks Next-Generation Firewall or Panorama. |
| PassiveTotal v2 | Analyze and understand threat infrastructure from a variety of sources-passive DNS, active DNS, WHOIS, SSL certificates and more-without devoting resources to time-intensive manual threat research and analysis. |
| Penfield | The penfield-get-assignee command takes in necessary context data, and returns the analyst that Penfield believes the incident should be assigned to based on Penfield's models of skill and process. The test command verfies that the endpoint is reachable. |
| Pentera | Automate remediation actions based on Pentera, the Automated Security Validation Platform, proactively exposing high-risk vulnerabilities |
| PerceptionPoint | Loads incidents from Perception Point and releases falsely quarantined emails. |
| Perch | Perch is a co-managed threat detection and response platform. |
| PerimeterX BotDefender | Gathers PerimeterX related data |
| Phish.AI [Deprecated] | Deprecated. Vendor has declared end of life for this integration. No available replacement. |
| PhishER | KnowBE4 PhishER integration allows to pull events from PhishER system and do mutations |
| PhishLabs IOC | Get indicators of compromise from PhishLabs. |
| PhishLabs IOC DRP | Retrieves Digital Risk cases Protection from PhishLabs. |
| PhishLabs IOC EIR | Get Email Incident Reports from PhishLabs |
| PhishTank v2 | PhishTank is a free community site where anyone can submit, verify, track, and share phishing data. |
| PhishUp | PhishUp prevents phishing attacks, protects your staff and your brand with AI |
| Picus Security | Run commands on Picus and automate security validation with playbooks. |
| PiHole | Pi-hole is a network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. |
| PingCastle | This integration will run a server that will listen for PingCastle XML reports. |
| PingOne | Integrates with the PingOne Management API to unlock, create, delete and update users. |
| Plain Text Feed | Fetches indicators from a plain text feed. |
| PolySwarm | Real-time threat intelligence from a crowd-sourced network of security experts and antivirus companies. |
| Popular News | Popular News integration fetches from three sources of news - Threatpost, The Hacker News and Krebs on Security. It outputs the title, links of the news articles and other metadata as a markdown table. The integration commands can either fetch the news from one source or all sources at a time. |
| Postmark Spamcheck | Postmark's spam API, Spamcheck, is a RESTfull interface to the Spam filter tool SpamAssassin. |
| PowerShell Remoting [Beta] | PowerShell Remoting is a comprehensive built-in remoting subsystem that is a part of Microsoft's native Windows management framework [WMF] and Windows remote management [WinRM]. This feature allows you to handle most remoting tasks in any configuration you might encounter by creating a remote PowerShell session to Windows hosts and executing commands in the created session. The integration includes out-of-the-box commands which supports agentless forensics for remote hosts. |
| Preempt | Preempt Behavioral Firewall - Detection and enforcement based on user identity |
| Prisma Access | Integrate with Prisma Access to monitor the status of the Service, alert and take actions. |
| Prisma Access Egress IP feed | Dynamically retrieve and add to allow list IPs Prisma Access uses to egress traffic to the internet and SaaS apps. |
| Prisma Cloud [RedLock] | Cloud threat defense |
| PrismaCloud IAM | The Prisma Cloud IAM API consists of a set of API endpoints that allow customers to perform CRUD operation on their user profiles. |
| Proofpoint Feed | Detailed feed of domains and ips classified in different categories. You need a valid authorization code from Proofpoint ET to access this feed |
| Proofpoint Protection Server [Deprecated] | Deprecated. The integration uses an unsupported scraping API. Use Proofpoint Protection Server v2 instead. |
| Proofpoint Protection Server v2 | Proofpoint email security appliance. |
| Proofpoint TAP v2 | Use the Proofpoint Targeted Attack Protection [TAP] integration to protect against and provide additional visibility into phishing and other malicious email attacks. |
| Proofpoint Threat Response [Beta] | Use the Proofpoint Threat Response integration to orchestrate and automate incident response. |
| ProtectWise | Cloud based Security Network DVR |
| Public DNS Feed | A feed of known benign IPs of public DNS servers. |
| Qintel PMI | Qintel’s Patch Management Intelligence [PMI] product simplifies the vulnerability management process by providing vital context around reported Common Vulnerabilities and Exposures. With this integration, users can query PMI to surface CVEs that are known by Qintel to be leveraged by eCrime and Nation State adversaries. |
| Qintel QSentry | QSentry queries help measure the likelihood that a user is masking their identity using publicly or privately available proxy or VPN services. The returns also flag any known fraud associations. QSentry aggregates data from Qintel’s proprietary Deep and DarkWeb research, as well as from commercially available anonymization services. |
| Qintel QWatch | Qintel's QWatch system contains credentials obtained from dump sites, hacker collaboratives, and command and control infrastructures of eCrime- and APT-related malware. With this integration, users can fetch exposure alerts as incidents and discover exposed credentials associated with their organization. |
| QR Code Reader - goqr.me | Read QR Code from image file. |
| QSS | QSS integration helps you to fetch Cases from Q-SCMP and add new cases automatically through XSOAR. |
| Qualys FIM | Log and track file changes across global IT systems. |
| Qualys v2 | Qualys Vulnerability Management lets you create, run, fetch and manage reports, launch and manage vulnerability and compliance scans, and manage the host assets you want to scan for vulnerabilities and compliance. |
| Query.AI | Query.AI is a decentralized data access and analysis technology that simplifies security investigations across disparate platforms without data duplication. |
| Quest KACE Systems Management Appliance [Beta] | Use the Comprehensive Quest KACE solution to Provision, manage, secure, and service all network-connected devices. |
| RaDark | This integration enables you to fetch incidents and manage your RaDark monitor from Cortex XSOAR. |
| Rapid7 InsightIDR | Rapid7 InsightIDR is a Cloud-Based SIEM that detect and respond to security incidents. |
| Rapid7 Nexpose | Rapid7's on-premise vulnerability management solution, Nexpose, helps you reduce your threat exposure by enabling you to assess and respond to changes in your environment real time and prioritizing risk across vulnerabilities, configurations, and controls. |
| Rasterize | Converts URLs, PDF files, and emails to an image file or PDF file. |
| Recorded Future [Deprecated] | Deprecated. Use Recorded Future v2 from RecordedFuture pack instead. Unique threat intel technology that automatically serves up relevant insights in real time. |
| Recorded Future Attack Surface Intelligence | Attack Surface Intelligence Risk Rules help security teams take risk and vulnerability prioritization to the next level by helping organizations identify the biggest weaknesses within their attack surface in mere seconds. |
| Recorded Future Identity | Recorded Future Identity Integration that provides access to Recorded Future Identity module data. |
| Recorded Future RiskList Feed | Ingests indicators from Recorded Future feeds into Demisto. |
| Recorded Future v2 | Unique threat intel technology that automatically serves up relevant insights in real time. |
| Red Canary | Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema which allows teams to detect, analyze and respond to security incidents. |
| Remedy On-Demand | Use Remedy On-Demand to manage tickets |
| Remote Access [Deprecated] | File transfer and execute commands via ssh, on remote machines. |
| RemoteAccess v2 | This integration transfers files between Cortex XSOAR and a remote machine and executes commands on the remote machine. |
| ReversingLabs A1000 [Deprecated] | Deprecated. Use the ReversingLabs A1000 v2 integration instead. |
| ReversingLabs A1000 v2 | ReversingLabs A1000 advanced Malware Analysis Platform. |
| ReversingLabs Ransomware and Related Tools Feed | A timely and curated threat intel list containing recent indicators extracted from ransomware and the tools used to deploy ransomware which are suitable for threat hunting or deployment to security controls. |
| ReversingLabs TitaniumCloud [Deprecated] | Deprecated. Use the ReversingLabs TitaniumCloud v2 integration instead. |
| ReversingLabs TitaniumCloud v2 | ReversingLabs TitaniumCloud provides threat analysis data from various ReversingLabs cloud services. |
| ReversingLabs TitaniumScale | ReversingLabs advanced file decomposition appliance. |
| RiskIQ Digital Footprint | The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Using the integration, you can view asset details, add or update assets and analyze your digital footprint from the adversary's perspective. |
| RiskSense | RiskSense is a cloud-based platform that provides vulnerability management and prioritization to measure and control cybersecurity risk. |
| RSA Archer [Deprecated] | Deprecated. Use the RSA Archer v2 integration instead. |
| RSA Archer v2 | The RSA Archer GRC platform provides a common foundation for managing policies, controls, risks, assessments, and deficiencies across lines of business. |
| RSA NetWitness Endpoint | RSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints on and off your network. The RSA Demisto integration provides access to information about endpoints, modules and indicators. |
| RSA NetWitness Packets and Logs | RSA NetWitness Logs and Packets decoders are responsible for the real-time collection of network data. The decode captures data in real time and can normalize and reconstruct data for full session analysis. In addition, the decoder can collect flow and endpoint data. |
| RSA NetWitness Security Analytics | RSA Security Analytics, compatible with prior to v11. A distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. Security Analytics allows administrators to collect two types of data from the network infrastructure, packet data and log data. |
| RSA NetWitness v11.1 [Deprecated] | Deprecated. Use RSA NetWitness v11.5 instead |
| RSANetWitness v11.5 | The RSA NetWitness integration provides system log, network, and endpoint visibility for real-time collection, detection, and automated response with the Cortex XSOAR Enterprise platform. Using full session analysis, customers can extract critical data and effectively run security operations automated playbooks. |
| RSS Feed | RSS Feed reader can ingest new items as report indicators. |
| RST Cloud - Threat Feed API | This is the RST Threat Feed integration for interacting with API |
| RTIR | Request Tracker for Incident Response is a ticketing system which provides pre-configured queues and workflows designed for incident response teams. |
| Rubrik Radar | The Rubrik Radar integration will fetch the Rubrik Radar Anomaly Event and is rich with commands to perform the on-demand scans, backups, recoveries and many more features to manage and protect the organizational data. |
| Rundeck | Rundeck is a runbook automation for incident management, business continuity, and self-service operations. |- The integration enables you to install software on a list of machines or perform a task periodically. Can be used when there is a new attack and you want to perform an update of the software to block the attack. |
| SaaS Security | SaaS Security API is a cloud-based service that you can connect directly to your sanctioned SaaS applications using the cloud app’s API to provide data classification, sharing and permission visibility, and threat detection. This Content Pack provides insights into risks posed by data exposure and policy violations and enables you to use Cortex XSOAR to effectively manage the incidents discovered by SaaS Security API. |
| SaaS Security Event Collector | Palo Alto Networks SaaS Security Event Collector integration for XSIAM. |
| SafeBreach [Deprecated] | Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers. |
| SafeBreach v2 | SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses. |
| Safewalk Management | Safewalk server integration |
| Safewalk Reports | Safewalk server integration |
| SailPoint IdentityIQ | SailPoint IdentityIQ context pack enables XSOAR customers to utilize the deep, enriched contextual data in the SailPoint predictive identity platform to better drive identity-aware security practices. |
| SailPoint IdentityNow | The SailPoint Identity Security platform can be configured either on-prem/single tenant SaaS, or multi-tenant. This package is intended to be used with the SaaS, multi-tenant solution, IdentityNow. |
| Salesforce | CRM Services |
| Salesforce Event Collector | Salesforce logs event collector integration for XSIAM. |
| Salesforce Fusion IAM | Integrate with Salesforce Fusion Identity Access Management service to execute CRUD [create, read, update, and delete] operations for employee lifecycle processes. |
| Salesforce IAM | Integrate with Salesforce's services to perform Identity Lifecycle Management operations. |
| Salesforce v2 | CRM Services |
| SAML 2.0 | Authenticate your Cortex XSOAR users using SAML 2.0 authentication with your organization`s identity provider. |
| SAML 2.0 - ADFS as IdP | You can authenticate your Demisto users using SAML 2.0 authentication and ADFS as the identity provider. |
| SAML 2.0 - Okta as IdP | You can authenticate your Demisto users using SAML 2.0 authentication and Okta as the identity provider. |
| SAML 2.0 - PingOne as IdP | You can authenticate your XSOAR users using SAML 2.0 authentication and PingOne as the identity provider. |
| SAP - IAM | Integrate with SAP's services to execute CRUD operations for employee lifecycle processes. |
| SCADAfence CNM | fetching data from CNM |
| Screenshot Machine | Uses screenshot machine to get a screenshot |
| SecBI | A threat, intelligence, and investigation platform, enabled by automation of detection and investigation, including remediation and prevention policy enforcements on all integrated appliances. |
| SecneurX Analysis | Fully automated malware dynamic analysis sandboxing |
| SecneurX Threat Feeds | SecneurX provides real-time threat intelligence that protects companies against the latest cyber threats, including APTs, phishing, malware, ransomware, data exfiltration, and brand infringement. Security teams rely on our dependable and rich data to expand their threat landscape visibility, resulting in improved detection rates and response times. |
| Security Intelligence Services Feed | A PassiveTotal with Security Intelligence Services Feed provides you with newly observed Domain, Malware, Phishing, Content and Scam Blacklist with Hourly ingestion available. |
| SecurityAdvisor | Contextual coaching and awareness for end users |
| SecurityScorecard | Provides scorecards for domains. |
| SecurityTrails | This integration provides API access to the SecurityTrails platform. |
| Securonix | Use the Securonix integration to manage incidents and watchlists. |
| SEKOIAIntelligenceCenter | Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. To use this integration, please create an API Key with the right permissions. |
| SendGrid | SendGrid provides a cloud-based service that assists businesses with email delivery. It allows companies to track email opens, unsubscribes, bounces, and spam reports. Our SendGrid pack utilize these SendGrid use cases to help you send and manage your emails. |
| SentinelOne v2 | Use the SentinelOne integration to send requests to your management server and get responses with data pulled from agents or from the management database. |
| Sepio | Get Agent, Switches and Events from your Sepio Prime |
| Server Message Block [SMB] [Deprecated] | Deprecated. Use the Server Message Block [SMB] v2 integration instead. |
| Server Message Block [SMB] v2 | Files and Directories management with an SMB server. Supports SMB2 and SMB3 protocols. |
| Service Desk Plus | Use this integration to manage on-premises and cloud Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution. |
| Service Desk Plus [On-Premise] [Deprecated] | Deprecated. Use the Service Desk Plus instead. |
| ServiceNow [Deprecated] | Deprecated. Use the ServiceNow v2 integration instead. |
| ServiceNow CMDB | ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages. |
| ServiceNow IAM | Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes. |
| ServiceNow v2 | Use The ServiceNow IT Service Management [ITSM] solution to modernize the way you manage and deliver services to your users. |
| ShiftLeft CORE | Integrate ShiftLeft CORE code analysis platform with Cortex XSOAR. |
| Shodan v2 | A search engine used for searching Internet-connected devices |
| Signal Sciences WAF | Protect your web application using Signal Sciences. |
| Silverfort | Use the Silverfort integration to get and update Silverfort risk severity. |
| Simple SFTP | Simple SFTP Integration to copy files from SFTP Server using paramiko. |
| Sixgill DarkFeed Enrichment | Sixgill Darkfeed Enrichment – powered by the broadest automated collection from the deep and dark web – is the most comprehensive IOC enrichment solution on the market. By enriching Palo Alto Networks Cortex XSOAR IOCs with Darkfeed, customers gain unparalleled context and essential explanations in order to accelerate their incident prevention and response and stay ahead of the threat curve. Automatically enrich Cortex XSOAR IOCs [machine to machine] via Darkfeed. Block threats and enrich endpoint protection in real-time from the Cortex XSOAR dashboard, gain contextual and actionable insights with essential explanations of Cortex XSOAR IOCs. |
| Sixgill DarkFeed Threat Intelligence | Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the XSOAR platform. |
| Skyformation [Deprecated] | Deprecated. Vendor has declared end of life for this integration. No available replacement. |
| Skyhigh Security | Skyhigh Security is a cloud-based, multi-tenant service that enables Cloud Discovery and Risk Monitoring, Cloud Usage Analytics, Cloud Access and Control. |
| Slack Event Collector | Slack logs event collector integration for XSIAM. |
| Slack IAM | Integrate with Slack's services to execute CRUD operations for employee lifecycle processes. |
| Slack v2 | Send messages and notifications to your Slack team. |
| Slack v3 | Send messages and notifications to your Slack team. |
| SlashNext Phishing Incident Response | SlashNext Phishing Incident Response integration allows Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER threat detection cloud to get definitive, binary verdicts [malicious or benign] along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services. |
| SMIME Messaging | Use the S/MIME [Secure Multipurpose Internet Mail Extensions] integration to send and receive secure MIME data. |
| Smokescreen IllusionBLACK | Smokescreen IllusionBLACK is a deception-based threat defense platform designed to accurately and efficiently detect targeted threats including reconnaissance, lateral movement, malware-less attacks, social engineering, Man-in-the-Middle attacks, and ransomware in real-time. |
| SNDBOX [Deprecated] | Deprecated. No available replacement. |
| Snort IP Blocklist Feed | This is the Snort IP Block List feed obtained from //snort.org/ |
| Snowflake | Analytic data warehouse provided as Software-as-a-Service. |
| SOCRadar Incidents | Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR. |
| SOCRadar Threat Feed | Retrieve indicators provided by collections via SOCRadar Threat Intelligence Feeds. |
| SOCRadar ThreatFusion | Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar. |
| SolarWinds | The SolarWinds integration interacts with the SWIS API to allow you to fetch alerts and events. It also provides commands to retrieve lists of alerts and events. |
| Sophos Central | The unified console for managing Sophos products. |
| Sophos Firewall | On-premise firewall by Sophos enables you to manage your firewall, respond to threats, and monitor what’s happening on your network. |
| Spamcop | SpamCop is an email spam reporting service, integration allow checking the reputation of an IP address |
| Spamhaus Feed | Use the Spamhaus feed integration to fetch indicators from the feed. |
| SplunkPy | Runs queries on Splunk servers. |
| SplunkPy Prerelease [Beta] | Runs queries on Splunk servers. |
| SpyCloud | With the SpyCloud integration data from breaches can be pulled and further processed in Playbooks. Filtering parameters can be used to filter the data set |
| Sumo Logic Cloud SIEM | Freeing the analyst with autonomous decisions |
| SumoLogic | Cloud-based service for logs & metrics management |
| Symantec Advanced Threat Protection | Advanced protection capabilities from Symantec |
| Symantec Blue Coat Content and Malware Analysis [Beta] | Symantec Blue Coat Content and Malware Analysis integration. |
| Symantec Data Loss Prevention [Deprecated] | Deprecated. Use the Symantec Data Loss Prevention V2 integration instead. Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information. |
| Symantec Data Loss Prevention v2 | Symantec Data Loss Prevention version 15.7 enables you to discover, monitor and protect your sensitive corporate information. |
| Symantec Endpoint Protection v2 | Query the Symantec Endpoint Protection Manager using the official REST API. |
| Symantec Managed Security Services | Leverage the power of Symantec Managed Security Services for continual threat monitoring and customized guidance 24x7 |
| Symantec Management Center | Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products. |
| Symantec Messaging Gateway | Symantec Messaging Gateway protects against spam, malware, targeted attacks and provides advanced content filtering, data loss prevention, and email encryption. |
| Synapse | Synapse intelligence analysis platform. |
| SysAid | SysAid is a robust IT management system designed to meet all of the needs of an IT department. |
| Syslog [Deprecated] | Syslog events logger. Automatically convert incoming logs to incidents. |
| Syslog Sender | Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog. |
| Syslog v2 | A Syslog server enables automatically opening incidents from Syslog clients. This integration supports filtering logs to convert to incidents, or alternatively converting all logs. |
| TaegisXDR | For integration with the Secureworks Taegis XDR platform |
| Talos Feed | Use the Talos Feed integration to get indicators from the feed. |
| Tanium | Tanium endpoint security and systems management |
| Tanium Threat Response | Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration. |
| Tanium Threat Response v2 | Use the Tanium Threat Response integration to manage endpoint processes, evidence, alerts, files, snapshots, and connections. This integration works with Tanium Threat Response version 3.0.159 and above. |
| Tanium v2 | Tanium endpoint security and systems management, filters out [current results unavailable] when returning question results |
| TAXII 2 Feed | Ingests indicator feeds from TAXII 2.0 and 2.1 servers. |
| TAXII Feed | Ingests indicator feeds from TAXII 1.x servers. |
| TAXII Server | This integration provides TAXII Services for system indicators [Outbound feed]. |
| TAXII2 Server | This integration provides TAXII2 Services for system indicators [Outbound feed]. |
| Team Cymru | Team Cymru provides various service options dedicated to mapping IP numbers to BGP prefixes and ASNs. Each of the services is based on the same BGP feeds from 50+ BGP peers and is updated at 4-hour intervals. |
| Tenable.io | A comprehensive asset-centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers, and web applications. |
| Tenable.sc | With Tenable.sc [formerly SecurityCenter] you get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster. |
| Thales SafeNet Trusted Access | This integration enables you to process alerts from SafeNet Trusted Access [STA] indicating security risks to end user accounts, and apply security remediation actions on SafeNet Trusted Access through security orchestration playbooks. |
| Thales SafeNet Trusted Access Event Collector | Retrieve access, authentication, and audit logs and store them on a Security Information and Event Management [SIEM] system, local repository, or syslog file server. You can retrieve the logs only for the tenant that is associated with the API key, or for a direct or delegated child of that tenant. |
| TheHive Project | Integration with The Hive Project Security Incident Response Platform. |
| Thinkst Canary | By presenting itself as an apparently benign and legitimate service[s], the Canary draws the attention of unwanted activity. When someone trips one of the Canary's triggers, an alert is sent to notify the responsible parties so that action can be taken before valubale systems in your network are compromised. |
| ThousandEyes | This Integration is used to to fetch-incidents via “Active alerts”, get alert details via “Alert details”, and get the “Agent list”. |
| Threat Crowd v2 | Query Threat Crowd for reports. |
| ThreatConnect [Deprecated] | Deprecated. Use the ThreatConnect v2 integration instead. |
| ThreatConnect Feed | This integration fetches indicators from ThreatConnect. |
| ThreatConnect v2 | ThreatConnect's intelligence-driven security operations solution with intelligence, automation, analytics, and workflows. |
| ThreatConnect v3 | ThreatConnect's integration is a intelligence-driven security operations solution with intelligence, automation, analytics, and workflows. |
| ThreatExchange [Deprecated] | Deprecated. Use the ThreatExchange v2 integration instead. |
| ThreatExchange v2 | Receive threat intelligence about applications, IP addresses, URLs, and hashes. A service by Facebook. |
| ThreatMiner | Data Mining for Threat Intelligence |
| ThreatQ v2 | A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes. |
| ThreatX | The ThreatX integration allows automated enforcement and intel gathering actions. |
| Thycotic | Secret Server is the only fully featured Privileged Account Management [PAM] solution available both on premise and in the cloud. It empowers security and IT ops teams to secure and manage all types of privileged accounts and offers the fastest time to value of any PAM solution. |
| ThycoticDSV | Manage credentials for applications, databases, CI/CD tools, and services without causing friction in the development process. |
| Tidy | Tidy integration handle endpoints enviorment installation. |
| TitaniamProtect | TitaniamProtect protects incidents data inside the Cortex XSOAR platform. |
| TOPdesk | TOPdesk’s Enterprise Service Management software [ESM] lets your service teams join forces and process requests from a single platform. |
| Trello | Interact with the Trello task manager |
| Trend Micro Apex One | Trend Micro Apex One central automation to manage agents and User-Defined Suspicious Objects |
| Trend Micro Cloud App Security | Use Trend Micro Cloud App Security integration to protect against ransomware, phishing, malware, and unauthorized transmission of sensitive data for cloud applications, such as Microsoft 365, Box, Dropbox, Google G Suite and Salesforce. |
| Trend Micro Deep Security | Cloud Security Protection |
| Trend Micro Vision One | Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response [XDR] capabilities that collect and automatically correlate data across multiple security layers—email, endpoints, servers, cloud workloads, and networks—Trend Micro Vision One prevents the majority of attacks with automated protection. |
| Tripwire | Tripwire is a file integrity management [FIM], FIM monitors files and folders on systems and is triggered when they have changed. |
| TruSTAR [Deprecated] | Deprecated. Use the TruSTAR v2 integration instead. |
| TruSTAR v2 | TruSTAR is an Intelligence Management Platform that helps you operationalize data across tools and teams, helping you prioritize investigations and accelerate incident response. |
| Trustwave Secure Email Gateway | Trustwave SEG is a secure messaging solution that protects businesses and users from email-borne threats, including phishing, blended threats, and spam. Trustwave Secure Email Gateway also delivers improved policy enforcement and data leakage prevention. |
| TrustwaveFusion | The Trustwave Fusion platform connects your organization’s digital footprint to a robust security cloud comprised of the Trustwave data lake, advanced analytics, actionable threat intelligence and a wide range of Trustwave services including Trustwave SpiderLabs , elite team of security specialists. Your team will benefit from deep visibility and the advanced security expertise necessary for protecting assets and eradicating threats as they arise. |
| Tufin | Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack |
| Twinwave | TwinWave’s threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. In addition to detecting threats, the TwinWave platform generates actionable intelligence for threat hunting and other activities. |
| The Twitter Integration allows users to parse Twitter for Users, Tweets, and additional info about users. Perform enhanced searches with additional search arguments. Search results are returned as a markdown table. | |
| TwitterIOCHunter Feed | Fetch the full daily feed from www.tweettioc.com/v1/tweets/daily/full |
| UBIRCH | The UBIRCH solution can be seen as an external data certification provider, as a data notary service, giving data receivers the capability to verify data they have received with regard to its authenticity and integrity and correctness of sequence. |
| Unisys Stealth | This integration is intended to aid companies in integrating with the Stealth EcoAPI service. Using the included commands, security teams can trigger dynamically isolation of users or endpoints from the rest of the Stealth network. |
| Unit 42 ATOMs Feed | Unit 42 feed of published IOCs, which contains known malicious indicators. |
| Unit 42 Feed [Deprecated] | Deprecated. Use Unit42 ATOMs Feed instead. |
| Unit 42 Intel Objects Feed | Use the Unit 42 Intel Objects Feed integration to fetch indicators from Unit 42 Intel Objects. |
| Uptycs | Fetches data from the Uptycs database. |
| URLhaus | URLhaus has the goal of sharing malicious URLs that are being used for malware distribution. |
| URLhaus Feed | Fetch url indicators for URLhaus |
| urlscan.io | Use urlscan.io integration to perform scans on suspected URLs and see their reputation. |
| USTA | USTA is an Cyber Intelligence Platform that responds directly and effectively to today's complex cyber threats. |
| Varonis Data Security Platform | Streamline alerts and related forensic information from Varonis DSP |
| Vectra | Automated attacker behavior analytics |
| Vectra Detect [Beta] | This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects |
| Vectra v2 | Automated attacker behavior analytics |
| Venafi | Retrieves information about certificates stored in Venafi. |
| Vertica | Analytic database management software |
| VirusTotal [API v3] | Analyzes suspicious hashes, URLs, domains, and IP addresses. |
| VirusTotal [Deprecated] | Deprecated. Use VirusTotalV3 integration instead. |
| VirusTotal - Premium [API v3] | Analyse retro hunts, read live hunt notifications and download files from VirusTotal. |
| VirusTotal - Private API [Deprecated] | Deprecated. Use "VirusTotal [API v3]" or "VirusTotal - Premium [API v3]" integrations instead. |
| VirusTotal Livehunt Feed | Use this feed integration to fetch VirusTotal Livehunt notifications as indicators. |
| VirusTotal Retrohunt Feed | Use this feed integration to fetch VirusTotal Retrohunt matches. |
| VMRay | Malware analysis sandboxing. |
| VMware | VMware vCenter server is a centralized management application that lets you manage virtual machines and ESXi hosts centrally. |
| VMware Carbon Black App Control v2 | VMware Carbon Black App Control [formerly known as Carbon Black Enterprise Protection] is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. This integration only supports Carbon Black on-premise APIs. |
| VMware Carbon Black EDR [Deprecated] | Deprecated. Use VMware Carbon Black EDR v2 instead. |
| VMware Carbon Black EDR [Live Response API] | Collect information and take action on remote endpoints in real time with VMware Carbon Black EDR [Live Response API] [formerly known as Carbon Black Enterprise Live Response]. |
| VMware Carbon Black EDR v2 | VMware Carbon Black EDR [formerly known as Carbon Black Response] |
| VMware Carbon Black Endpoint Standard [Deprecated] | Deprecated. Use Carbon Black Endpoint Standard instead. |
| VMware Carbon Black Enterprise EDR | VMware Carbon Black Enterprise EDR [formerly known as Carbon Black ThreatHunter] is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers [SOCs] and incident response [IR] teams. [formerly known as ThreatHunter] |
| VMware Workspace ONE UEM [AirWatch MDM] | VMware Workspace ONE UEM integration allows users to search enrolled corporate or employee-owned devices, provides detailed information about each device such as its serial number, installed OS's, pending OS updates, network details, and much more leveraging Workspace ONE UEM's [formerly AirWatch MDM] API. |
| VulnDB | Lists all of the security vulnerabilities for various products [OS,Applications] etc] |
| WhatIsMyBrowser | Parse user agents and determine if they are malicious as well as enrich information about the agent |
| Whois | Provides data enrichment for domains. |
| Windows Remote Management [Beta] | Uses the Python pywinrm library and commands to execute either a process or using Powershell scripts. |
| Wiz | Agentless cloud security. |
| Wolken ITSM | Use The Wolken IT Service Management [ITSM] solution to modernize the way you manage and deliver services to your users. |
| WootCloud | Append HyperContext™ insights to your SIEM data and feed them into your orchestration workflows. |
| Wordpress | The WordPress REST API provides an interface for applications to interact with your WordPress site by sending and receiving data as JSON [JavaScript Object Notation] objects. It is the foundation of the WordPress Block Editor, and can likewise enable your theme, plugin or custom application to present new, powerful interfaces for managing and publishing your site content. |
| Workday | Workday offers enterprise-level software solutions for financial management, human resources, and planning. |
| Workday IAM | Use the Workday IAM Integration as part of the IAM premium pack. |
| Workday IAM Event Generator [Beta] | Generates mock reports and events for Workday IAM. Use these for testing and development. |
| XM Cyber | XMCyber continuously finds attack vectors to critical assets. This integration fetches events [incidents] on changes in the overall risk score, risk to assets, or impacting attack techniques. Additionally incidents are enriched with incoming attack vectors to the incident's endpoints, and critical assets at risk form the incident. |
| xMatters | This is an integration for using xMatters. |
| XSOAR Mirroring | Facilitates mirroring of XSOAR incidents between different XSOAR tenants. |
| XSOAR Storage | Facilitates the storage and retrieval of key/value pairs within XSOAR. |
| XSOAR-Web-Server | This is a simple web-server that as of now, supports handling configurable user responses [like Yes/No/Maybe] and data collection tasks that can be used to fetch key value pairs. What makes it different from Data collection tasks is that, the URL to perform a certain action is predictable and written to the incident context when an action is setup.This URL can be inserted to for eg: an HTML email. User clicks are are recorded in the integration context and can be polled by Scheduled Commands/ Generic Polling |
| Xsoar_Utils | This is a wrapper on top of XSOAR API. Can be used to implement commands that call the XSOAR API in the background. This is mostly to avoid constructing raw json strings while calling the demisto rest api integration. The first implemented command can be used to create an entry on any investigation; playground by default. An example use-case could be debugging a pre-process script. [Call demisto.execute_command["xsoar-create-entry",{arguments}] The idea is to use the same code
to test from a local machine. Read the code to understand more. |
| Zabbix | Allow integration with Zabbix api |
| ZeroFox | Cloud-based SaaS to detect risks found on social media and digital channels. |
| ZeroTrustAnalyticsPlatform | Zero Trust Analytics Platform [ZTAP] is the underlying investigation platform and user interface for Critical Start's MDR service. |
| Zimperium | Fetch and investigate mobile security alerts, generated based on anomalous or unauthorized activities detected on a user's mobile device. |
| Zoom | Use the Zoom integration manage your Zoom users and meetings |
| Zoom Feed | Use the Zoom Feed integration to get indicators from the feed. |
| Zoom_IAM | An Identity and Access Management integration template. |
| Zscaler Internet Access | Zscaler is a cloud security solution built for performance and flexible scalability. This integration enables you to manage URL and IP address allow lists and block lists, manage and update categories, get Sandbox reports, and manually log in, log out, and activate changes in a Zscaler session. |
Playbooks#
| Abuse Inbox Management Detect & Respond | When combined with ‘SlashNext Abuse Management Protection’, this playbook fully automates the identification and remediation of phishing emails found in Microsoft 365 user inboxes. Using the indicators of compromise, URL, domain, and IP, found in the original email, it searches and remediates other emails containing the same IOCs. |
| Abuse Inbox Management Protection | Analyzes the URLs, domains, and IPs in suspicious emails, reported by end users, and returns a binary verdict [malicious or benign] and forensic information including screenshot of attack page, threat name and type, threat status, and first/last seen date |
| Access Investigation - Generic | This playbook investigates an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action. |
| Access Investigation - Generic - NIST | This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Used Sub-playbooks: |
| Access Investigation - QRadar | This playbook uses the QRadar integration to investigate an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action. |
| Accessdata: Dump memory for malicious process | Use as a sub-playbook to dump memory if given process is running on legacy AD agent |
| Account Enrichment | Deprecated. Use the "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich the accounts under the Account context key with details from relevant integrations such as AD. |
| Account Enrichment - Generic | Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich Accounts using one or more integrations |
| Account Enrichment - Generic v2 | Deprecated. Use "Account Enrichment - Generic v2.1" playbook instead.\ \ Enrich accounts using one or more integrations. Supported integrations - - Active Directory |
| Account Enrichment - Generic v2.1 | Enrich accounts using one or more integrations. Supported integrations: - Active Directory - SailPoint IdentityNow - SailPoint IdentityIQ - PingOne - Okta - AWS IAM Also, the playbook supports the generic command 'iam-get-user' [implemented in IAM integrations. For more information, visit //xsoar.pan.dev/docs/integrations/iam-integrations. |
| Acquire And Analyze Host Forensics | This playbook enables gathering forensic data from a host and analyzing the acquired data by using the relevant forensics automations. |
| ACTI Block High Severity Indicators | Deprecated. No available replacement. |
| ACTI Block Indicators from an Incident | Deprecated. No available replacement. |
| ACTI Create Report-Indicator Associations | Deprecated. No available replacement. |
| ACTI Incident Enrichment | This playbook enriches Intelligence Alerts, Intelligence Reports, Malware Families, Threat Actors, Threat Groups & Threat Campaigns |
| ACTI Indicator Enrichment | Deprecated. No available replacement. |
| ACTI Report Enrichment | Deprecated. No available replacement. |
| ACTI Vulnerability Enrichment | Deprecated. No available replacement. |
| Active Directory - Get User Manager Details | Takes an email address or a username of a user account in Active Directory, and returns the email address of the user's manager. |
| Active Directory Investigation | Active Directory Investigation playbook provides tools and guidance to investigate changes and manipulation in Active Directory containers, ACLs, Schema, and objects. This playbook uses a 3rd party tool provided by Microsoft to scan the Active Directory access list, trees, and objects. Additional investigative information is provided for manual investigation. |
| Add Indicator to Miner - Palo Alto MineMeld | Deprecated. Add indicators to the relevant Miner using MineMeld. |
| Add Unknown Indicators To Inventory - RiskIQ Digital Footprint | Adds the unknown indicators or updates/removes the indicators identified as a known asset in the RiskIQ Digital Footprint inventory according to the user inputs for each asset. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example reputation:None etc. The purpose of the playbook is to check if the indicators with the unknown reputation are known assets. The default playbook query is "reputation:None". In case indicators
with different reputations are to be added to the inventory, the query must be edited accordingly. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint |
| Agari Message Remediation - Agari Phishing Defense | Investigates Agari policy events by obtaining the original message and attachments from the existing email integrations and remediates in Agari. |
| Akamai WAF - Activate Network Lists | Activates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested enviorment. |
| Allow IP - Okta Zone | Sync a list of IP addresses to the Okta Network Zone with the given ID. Existing IPs in the Okta Zone which are not in the input list will be removed and the indicator will be untagged in Cortex XSOAR. IDs can be retrieved using !okta-list-zones. This playbook supports CIDR notation only [1.1.1.1/32] and not range notation [1.1.1.1-1.1.1.1] |
| Analyze URL - ReversingLabs TitaniumCloud | Get threat intelligence data for the submitted URL. Required TitaniumCloud API rights: TCA-0403 |
| Anomali Enterprise Forensic Search | Initiates a Forensic Search on IOCs in Anomali Match. |
| Arcanna-Generic-Investigation | Automatically triage alert using Arcanna.Ai Machine Learning capabilities closing or assign incidents to analysts based on ML decision |
| Arcanna-Generic-Investigation-V2-With-Feedback | Alert Triage using Arcanna.Ai Machine Learning capabilities and reinforcement learning by offerring analyst feedback to incidents closed |
| Archer initiate incident | initiate Archer incident |
| Arcsight - Get events related to the Case | Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither is there, ask user for the ID. Use the resource ID to get full data for the case, the correlated/aggregate events underneath it, and all base events underneath them. |
| Armis Alert Enrichment | Enrich Armis alerts with the devices in the context details. |
| Armorblox Needs Review | This playbook sends email alerts to admins for Armorblox incidents that need review. |
| Assess Wiz Issues | Example basic Playbook to assess Wiz Issues |
| Assign Active Incidents to Next Shift V2 | This playbook reassigns Active Incidents to the current users on call. It requires shift management to be set up. The playbook can be run as a job a few minutes after the scheduled shift change time. You can update the playbook input with a different search query, if required. Will branch if there are no incidents that match the query and no users on call. Cases will not be assigned to users that defined OOO [by OutOfOffice automation]. |
| ATD - Detonate File | Detonates a File using the McAfee Advanced Threat Defense sandbox. Advanced Threat Defense supports the following File Types: 32-bit Portable Executables [PE]files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi Microsoft Office Suite documents doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar Just Systems Ichitaro documents jtd, jtdc Adobe pdf, swf Compressed files gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar Android application package apk, Java, JAR, CLASS, Java Script, Java bin files Image files jpeg, png, gif Other file types cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh |
| Auto Add Assets - RiskIQ Digital Footprint | This playbook automatically adds the provided asset[s] to the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to add multiple assets. Supported integration: - RiskIQ Digital Footprint |
| Auto Update Or Remove Assets - RiskIQ Digital Footprint | This playbook automatically updates or removes the provided asset[s] from the RiskIQ Digital Footprint inventory according to the values provided. Use this playbook as a sub playbook and loop over each asset in the asset list in order to update or remove multiple assets. Supported integration: - RiskIQ Digital Footprint |
| Autofocus Query Samples, Sessions and Tags | This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI
//autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input. The playbook supports searching both the Samples API and the sessions API. |
| AutoFocusPolling | Use this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context. This playbook implements polling by continuously running the command in Step #2 until the operation completes. 1. Initiate the operation. |
| AWS IAM - User enrichment | Enrich AWS IAM user information from AWS Identity and Access Management. - List user access keys - Get user information |
| AWS IAM User Access Investigation | Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content. |
| AWS IAM User Access Investigation - Remediation | Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content. |
| Azure Log Analytics - Query From Saved Search | Executes a query from a saved search in Azure Log Analytics. |
| Block Account - Generic | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: |
| Block Account - Generic v2 | This playbook blocks malicious usernames using all integrations that you have enabled. Supported integrations for this playbook: |
| Block Domain - Cisco Stealthwatch | This playbook blocks domains using Cisco Stealthwatch. The playbook checks whether the Cisco Stealthwatch integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - FireEye Email Security | This playbook blocks domains using FireEye Email Security. The playbook checks whether the FireEye Email Security integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Generic | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: |
| Block Domain - Generic v2 | This playbook blocks malicious Domains using all integrations that are enabled. Supported integrations for this playbook: |
| Block Domain - Proofpoint Threat Response | This playbook blocks domains using Proofpoint Threat Response. The playbook checks whether the Proofpoint Threat Response integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Symantec Messaging Gateway | This playbook blocks domains using Symantec Messaging Gateway. The playbook checks whether the Symantec Messaging Gateway integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Trend Micro Apex One | This playbook blocks domains using Trend Micro Apex One. The playbook checks whether the Trend Micro Apex One integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Domain - Zscaler | This playbook blocks domains using Zscaler. The playbook checks whether the Zscaler integration is enabled, whether the Domain input has been provided and if so, blocks the domain. |
| Block Email - Generic | This playbook will block emails at your mail relay integration. |
| Block Email - Generic v2 | This playbook will block emails at your mail relay integration. Supported integrations for this playbook: |
| Block Endpoint - Carbon Black Response | Carbon Black Response - isolate an endpoint, given a hostname. |
| Block File - Carbon Black Response | This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the integration is disabled at the time of running, or if the hash is already on the block list, no action is taken on the MD5. |
| Block File - Cybereason | This playbook accepts an MD5 hash and blocks the file using the Cybereason integration. |
| Block File - Cylance Protect v2 | This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration. |
| Block File - Generic | Deprecated. Use "Block File - Generic v2" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response. |
| Block File - Generic v2 | This playbook is used to block files from running on endpoints. This playbook supports the following integrations: - Palo Alto Networks Traps - Palo Alto Networks Cortex XDR - Cybereason - Carbon Black Enterprise Response - Cylance Protect v2 |
| Block Indicators - Generic | Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead. This playbook blocks malicious indicators using all integrations that are enabled. Supported integrations for this playbook: |
| Block Indicators - Generic v2 | This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic |
| Block Indicators - Generic v3 | This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks: - Block URL - Generic |
| Block IOCs from CSV - External Dynamic List | Deprecated. Use Generic Export Indicators Service instead. |
| Block IP - Generic | Deprecated. Use "Block IP - Generic v2" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled. Supported integrations for this playbook: |
| Block IP - Generic v2 | This playbook blocks malicious IPs using all integrations that are enabled. Supported integrations for this playbook: |
| Block IP - Generic v3 | This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user [and set by default to outgoing] Note the following: - some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects. - Note that the appended network objects should be specified in blocking rules inside the system later on. Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: Check Point Firewall |
| Block URL - Generic | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: |
| Block URL - Generic v2 | This playbook blocks malicious URLs using all integrations that are enabled. Supported integrations for this playbook: |
| Bonusly - AutoGratitude | AutoGratitude is a playbook to give back a positive gratitude to security engineers and developers when they successfully complete an SLA |
| BreachRx - Create Incident and get Active Tasks | This Playbook creates a privacy Incident on the BreachRx platform, and pulls in all tasks from that created privacy Incident into the Cortex XSOAR Incident. |
| Brute Force Investigation - Generic | This playbook investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation. The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Used Sub-playbooks: |
| Brute Force Investigation - Generic - SANS | This playbook investigates a "Brute Force" incident by gathering user and IP information, and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation. This is done based on the phases for handling an incident as they are described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. //www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 The playbook handles the following use-cases: Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins. Used Sub-playbooks: ***Disclaimer: This playbook does not ensure compliance to SANS regulations. |
| Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration | This playbook gets all available devices from PANW IoT Cloud and updates/creates endpoints with custom attributes in ServiceNow. |
| Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration | This playbook gets all available device inventory from PANW IoT Cloud and updates/create endpoints with custom attributes on Cisco ISE. |
| Bulk Export to SIEM - PANW IoT 3rd Party Integration | This playbook gets all available assets [ alerts, vulnerabilities and devices] and send then to configured PANW third-party integration SIEM server. |
| C2SEC-Domain Scan | Launches a C2sec scan by domain name and waits for the scan to finish by polling its status in pre-defined intervals. |
| Calculate Severity - 3rd-party integrations | Calculates the incident severity level according to the methodology of a 3rd-party integration. |
| Calculate Severity - Critical assets | Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group. |
| Calculate Severity - Critical Assets v2 | Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation. Critical assets refer to: users, user groups, endpoints and endpoint groups. |
| Calculate Severity - Generic | Deprecated. Use "Calculate Severity - Generic v2" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations: Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore. NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe. |
| Calculate Severity - Generic v2 | Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators |
| Calculate Severity - GreyNoise | Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators |
| Calculate Severity - Indicators DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
| Calculate Severity - Standard | Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook. |
| Calculate Severity By Email Authenticity | Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script. |
| Calculate Severity By Highest DBotScore | Calculates the incident severity level according to the highest indicator DBotScore. |
| Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise | Playbook to calculate the severity based on GreyNoise |
| Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise | Playbook to calculate the severity based on GreyNoise |
| Caldera Operation | This playbook is used to create a new Operation in Mitre Caldera. |
| California - Breach Notification | This playbook helps an analyst determine if the breached data meets the criteria for breach notification according to California law, and, if necessary, follows through with the notification procedures. DISCLAIMER: Please consult with your legal team before implementing this playbook. Source: //leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82. |
| Carbon Black EDR Search Process | Use this playbook to search processes in Carbon Black Enterprise EDR. This playbook implements polling by continuously running the `cb-eedr-process-search-results` command until the operation completes. |
| Carbon black Protection Rapid IOC Hunting | Hunt for endpoint activity involving hash and domain IOCs, using Carbon black Protection [Bit9]. |
| Carbon Black Rapid IOC Hunting | Deprecated. Use "Search Endpoints By Hash - Carbon Black Response V2" playbook instead. Hunt for malicious indicators using Carbon Black |
| Carbon Black Response - Unisolate Endpoint | This playbook unisolates sensors according to the sensor ID that is provided in the playbook input. |
| Case Management - Generic | This playbook executes when no other playbook is associated with an incident. It enriches indicators in an incident using one or more integrations. |
| Case Management - Generic - Set SLAs based on Severity | Sets the SLAs for Incidents, the Time to Assignment Timer, and the Remediation SLA Timer based on the Incident Severity. |
| Case Management - Generic v2 | This playbook will extract and enrich indicators upon trigger, calculate Severity, and set SLAs and Timers. Can be used as a default playbook to ingest new Incidents, or for manually created Incidents. |
| Change Management | If you are using PAN-OS/Panorama firewall and Jira or ServiceNow as a ticketing system this playbook is a perfect match for your change management for Firewall process. This playbook can be triggered by 2 different options - a fetch from ServiceNow or Jira - and will help you manage and automate your change management process. |
| Check For Content Installation | This playbook checks for content updates. |
| Check Indicators For Unknown Assets - RiskIQ Digital Footprint | This playbook receives indicators from its parent playbook and checks if the indicator is an unknown or a known asset in the RiskIQ Digital Footprint inventory and gives out a list of the unknown as well as known assets. This playbook cannot be run in quiet mode. This playbook needs to be used with caution as it might use up the integration’s API license when running for large amounts of indicators. Supported integration: - RiskIQ Digital Footprint |
| Check IP Address For Whitelisting - RiskIQ Digital Footprint | Checks if the provided IP Address should be added to allow list and excluded or not. Use this playbook as a sub-playbook to loop over multiple IP Addresses to check if they should be added to allow list and excluded. |
| Checkpoint - Block IP - Append Group | The playbook receives malicious IP addresses as inputs, checks if the object group exists [if not, the object group is created], and appends the related IPs to that object. If you have not assigned the appended group to a rule in your firewall policy, you can use `rule_name` and the playbook creates a new rule. |
| Checkpoint - Block IP - Custom Block Rule | This playbook blocks IP addresses using Custom Block Rules in Check Point Firewall. The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and publishes the configuration. |
| Checkpoint - Block URL | This playbook blocks URLs using Check Point Firewall through Custom URL Categories. The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it creates the category, blocks the URLs, and publishes the configuration. |
| Checkpoint - Publish&Install configuration | Publish the Check Point Firewall configuration and install policy on all available gateways. |
| Checkpoint Firewall Configuration Backup Playbook | Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP. |
| ChronicleAsset Investigation - Chronicle | This playbook receives indicators from its parent playbook, performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and gives out a list of isolated and blocked entities. This playbook also lists the events fetched for the asset identifier information associated with the indicator. |
| ChronicleAssets Investigation And Remediation - Chronicle | Performs enrichment and investigation of the ChronicleAsset type of indicators, provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address is found to be malicious or suspicious, and sends out an email containing the list of isolated and potentially blocked entities. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example, type:ChronicleAsset etc. The default playbook query is "type:ChronicleAsset". In case indicators with different query parameters are to be investigated, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integration’s API license when running large amounts of indicators. |
| CimTrak - Example - Analyze Intrusion | Example to analyze intrusion |
| CimTrak - Example - Scan Compliance By IP | Example on how to run a compliance scan for an agent based on IP address |
| Cisco FirePower- Append network group object | This playbook will append a network group object with new elements [IPs or network objects]. |
| Claroty Incident | |
| Claroty Manage Asset CVEs | |
| Cloud IDS-IP Blacklist-GCP Firewall_Append | Set a list of IP addresses in GCP firewall. |
| Cloud IDS-IP Blacklist-GCP Firewall_Combine | Set a list of IP addresses in GCP firewall. |
| Cloud IDS-IP Blacklist-GCP Firewall_Extract | Get Source IP |
| CloudConvert - Convert File | Use this playbook to convert a file to the required format using CloudConvert. |
| Cluster Report Categorization - Cofense Triage v3 | Cluster Report Categorization playbook is used to retrieve the reports of specific clusters and perform the categorization of reports. |
| Code42 Add Departing Employee From Ticketing System | Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use Zendesk, change the command `jira-get-issue` to be `zendesk-ticket-details` and use the `id` parameter for `issueId`. Change the output [what gets parsed] to be either the Subject or the Description from Zendesk. |
| Code42 Copy File To Ticketing System | Downloads a file from Code42 and attaches it to a ticketing system. This playbook uses Jira out-of-the-box, but you can swap it with a different Ticketing system and achieve the same result. For example, to use ServiceNow, change the command `jira-issue-upload-file` to be `servicenow-upload-file` and use the `id` parameter for `issueId` and `file_id` for `entryId`. |
| Code42 Exfiltration Playbook | The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints. |
| Code42 File Download | This playbook downloads a file via Code42 by either MD5 or SHA256 hash. |
| Code42 File Search | This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use. |
| Code42 Suspicious Activity Action | Take corrective actions against a Code42 user found to be exposing file data. |
| Code42 Suspicious Activity Review | Detects suspicious activities of a user and allows a recipient to assess the results. Afterward, the playbook takes action on the user such as adding them to legal hold. |
| Codecov Breach - Bash Uploader | This playbook includes the following tasks: - Search for the Security Notice email sent from Codecov. - Collect indicators to be used in your threat hunting process. - Query network logs to detect related activity. - Search for the use of Codecov bash uploader in GitHub repositories - Query Panorama to search for logs with related anti-spyware signatures - Data Exfiltration Traffic Detection - Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: |
| Command-Line Analysis | This playbook takes the command line from the alert and performs the following actions: - Checks for base64 string and decodes if exists - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: |
| Compromised Credentials Match - Flashpoint | Compromised Credentials Match playbook uses the details of the compromised credentials ingested from the Flashpoint and authenticates using the Active Directory integration by providing the compromised credentials of the user, expires the credentials if it matches, and sends an email alert about the breach. Supported integrations: - Flashpoint - OpenLDAP - Active Directory Query v2 |
| Configuration Setup | Playbook for the configuration incident type. |
| Containment Plan | This playbook handles all the containment actions available with Cortex XSIAM, including: Isolate endpoint Disable account Quarantine file Block indicators * Clear user session [currently, the playbook supports only Okta] Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Content Update Check | Deprecated. Use "Content Update Manager" playbook instead. This playbook will check to see if there are any content updates available for installed packs and notify users via e-mail or Slack. |
| Content Update Manager | This playbook checks for any available content updates for selected installed content packs and notifies users via e-mail or Slack. It also contains an auto-update flow that lets users decide via playbook inputs or communication tasks if they want to trigger an auto-update process to install all updates that were found. This playbook can be used as a Cortex XSOAR job to help users track marketplace pack updates and install them regularly. |
| Context Polling - Generic | This playbook polls a context key to check if a specific value exists. |
| Continuously Process Survey Responses | Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the playbook to help us identify issues, fix them, and continually improve. Continuously processes new questionnaire responses as they are received. |
| Convert file hash to corresponding hashes | The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the original searched hash is recognized by any our the threat intelligence integrations. |
| Cortex ASM - ASM Alert | This playbook aims to provide enrichment of ASM alerts by searching for mentions of associated IP addresses within other security and IT tools. |
| Cortex ASM - CMDB Enrichment | This playbook will look up a CI in ServiceNow CMDB by IP. |
| Cortex ASM - Extract IP Indicator | Identifies IPv4 Address associated with Alert and creates a new Indicator. |
| Cortex ASM - Vulnerability Management Enrichment | This playbook will look up an IP address in Tenable.io or Rapid7 InsightVM. |
| Cortex XDR - AWS IAM user access investigation | Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. - Penetration testing tool attempt - Penetration testing tool activity - Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve. |
| Cortex XDR - Block File | Use this playbook to add files to Cortex XDR block list with a given file SHA256 playbook input. |
| Cortex XDR - Check Action Status | Checks the action status of an action ID. \nEnter the action ID of the action whose status you want to know. |
| Cortex XDR - check file existence | Initiates a new endpoint script execution to check if the file exists and retrieve the results. |
| Cortex XDR - delete file | Initiates a new endpoint script execution to delete the specified file and retrieve the results. |
| Cortex XDR - Endpoint Investigation | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks: Pre-defined MITRE Tactics Host fields [Host ID] Attacker fields [Attacker IP, External host] MITRE techniques * File hash [currently, the playbook supports only SHA256] Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details. |
| Cortex XDR - Execute commands | Initiates a new script execution of shell commands. |
| Cortex XDR - Execute snippet code script | Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results. |
| Cortex XDR - False Positive Incident Handling | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles false-positive incident closures for Cortex XDR - Malware investigation. |
| Cortex XDR - Get File Path from alerts by hash | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook assists in retrieving file paths from the Cortex XDR incident by hash. |
| Cortex XDR - Isolate Endpoint | This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration. |
| Cortex XDR - kill process | Initiates a new endpoint script execution kill process and retrieves the results. |
| Cortex XDR - Malware Investigation | Investigates a Cortex XDR incident containing internal malware alerts. The playbook: - Enriches the infected endpoint details. - Lets the analyst manually retrieve the malicious file. - Performs file detonation. The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’ |
| Cortex XDR - Port Scan | Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: - Syncs data with Cortex XDR - Enriches the hostname and IP address of the attacking endpoint - Notifies management about host compromise - Escalates the incident in case of lateral movement alert detection - Hunts malware associated with the alerts across the organization - Blocks detected malware associated with the incident - Blocks IPs associated with the malware - Isolates the attacking endpoint - Allows manual blocking of ports that were used for host login following the port scan |
| Cortex XDR - Port Scan - Adjusted | Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: - Syncs data with Cortex XDR. - Notifies management about a compromised host. - Escalates the incident in case of lateral movement alert detection. The playbook is designed to run as a sub-playbook in 'Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling'. |
| Cortex XDR - PrintNightmare Detection and Response | The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE This playbook includes the following tasks: ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| Cortex XDR - quarantine file | |
| Cortex XDR - Retrieve File by sha256 | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is a sub-playbook for the Cortex XDR malware investigation flow. In this playbook, we retrieve multiple files from the investigated device [using the Device ID incident field], based on their SHA256 hash. |
| Cortex XDR - Retrieve File Playbook | Retrieves files from selected endpoints. You can retrieve up to 20 files, from no more than 10 endpoints. Inputs for this playbook are: - A comma-separated list of endpoint IDs. - A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required. |
| Cortex XDR - Run script | Initiates a new endpoint script execution action using a provided script unique id from Cortex XDR script library. |
| Cortex XDR - True Positive Incident Handling | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation. |
| Cortex XDR - Unisolate Endpoint | This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input. |
| Cortex XDR Alerts Handling | This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan |
| Cortex XDR device control violations | Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. All the collected data will be displayed in the XDR device control incident layout. This playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users. |
| Cortex XDR disconnected endpoints | A Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input. The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints. The report will be sent to the recipient's provided email addresses in the playbook input. The playbook includes an incident type with a dedicated layout to visualize the collected data. To set the job correctly, you will need to. 1. Create a new recurring job. 2. Set the recurring schedule. 3. Add a name. 4. Set type to Cortex XDR disconnected endpoints. 5. Set this playbook as the job playbook. //xsoar.pan.dev/docs/incidents/incident-jobs The scheduled run time and the timestamp relative date should be identical, |
| Cortex XDR Incident Handling | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically. *** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0. |
| Cortex XDR incident handling v2 | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. |
| Cortex XDR incident handling v3 | This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident. |
| Cortex XDR Incident Sync | Compares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0. |
| Cortex XDR Malware - Incident Enrichment | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout. |
| Cortex XDR Malware - Investigation And Response | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Cortex XDR malware incidents. It uses:\n\n - Cortex XDR insights \n - Command Line Analysis \n - Dedup \n - Sandbox hash search and detonation \n - Cortex XDR enrichment \n - Incident Handling [True/False Positive] |
| Courses of Action - Collection | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Techniques Handled: - T1005 - Data from Local System - Kill Chain phase: - Collection MITRE ATT&CK Description: The adversary is attempting to gather data of interest to accomplish their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal [exfiltrate] the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Command and Control | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0011: command and control MITRE ATT&CK Description: The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Credential Access | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0006: Credential Access MITRE ATT&CK Description: The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Defense Evasion | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0005: Defense Evasion MITRE ATT&CK Description: The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Discovery | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0007: Discovery MITRE ATT&CK Description: The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Execution | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0002: Execution MITRE ATT&CK Description: The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Exfiltration | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0010: Exfiltration MITRE ATT&CK Description: The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Impact | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0040: Impact MITRE ATT&CK Description: The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Initial Access | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0001: Initial Access MITRE ATT&CK Description: The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Lateral Movement | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0008: Lateral Movement MITRE ATT&CK Description: The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Persistence | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0003: Persistence MITRE ATT&CK Description: The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Courses of Action - Privilege Escalation | This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action [COA] defined by Palo Alto Networks Unit 42 team. It utilizes each of the sub-playbooks for specific techniques that belong to this phase [tactic] according to the MITRE ATT&CK kill chain. The sub-playbook called depends on the technique input. ***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations [ATOMs]. Tactic: - TA0004: Privilege Escalation MITRE ATT&CK Description: The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level• local administrator• user account with admin-like access • user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. Possible playbook triggers: - The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase. - The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input. |
| Create Jira Issue | Create Jira issue allows you to open new issues. When creating the issue, you can decide to update based on on the issue's state, which will wait for the issue to resolve or close with StatePolling. Alternatively, you can select to mirror the Jira issue and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none When creating Jira issues through XSOAR, using the mirroring function, make sure that you exclude those issues when fetching incidents. To exclude these issues, tag the relevant issues with a dedicated label and exclude that label from the JQL query [Labels!=]. |
| Create Jira Ticket - XM Cyber | XM Cyber generates a Jira ticket based on the trend in the Security Score |
| Create ServiceNow Ticket | Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: 1. StatePolling 2. Mirror 3. Leave Blank to use none. |
| CrowdStrike Endpoint Enrichment | Deprecated. Use CrowdStrike Falcon instead. |
| CrowdStrike Falcon - False Positive Incident Handling | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it. |
| CrowdStrike Falcon - Get Detections by Incident | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables getting CrowdStrike Falcon detection details based on the CrowdStrike incident ID. |
| CrowdStrike Falcon - Get Endpoint Forensics Data | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections. |
| Crowdstrike Falcon - Isolate Endpoint | This playbook will auto isolate endpoints by the device ID that was provided in the playbook. |
| CrowdStrike Falcon - Retrieve File | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved. |
| CrowdStrike Falcon - Search Endpoints By Hash | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256 hash. |
| CrowdStrike Falcon - SIEM ingestion Get Incident Data | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the field for the incident ID or detection ID and the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type. |
| CrowdStrike Falcon - True Positive Incident Handling | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it. |
| Crowdstrike Falcon - Unisolate Endpoint | This playbook unisolates devices according to the device ID that is provided in the playbook input. |
| CrowdStrike Falcon Malware - Incident Enrichment | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables enriching CrowdStrike Falcon incidents by pivoting to their detections as well as mapping all the relevant data to the Cortex XSOAR incident fields. |
| CrowdStrike Falcon Malware - Investigation and Response | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike Falcon malware investigation, including: - Extracting and displaying MITRE data from the EDR and sandboxes - Deduplicating similar incidents - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. - Verifying the actions taken by the EDR - Analyzing the command line - Searching for relevant hashes in additional hosts in the organization - Retrieving data about the host, including process list and network connections - Performing containment and mitigation actions as part of handling false/true positives - Setting the relevant layouts |
| CrowdStrike Falcon Malware - Verify Containment Actions | This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to //xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook verifies and sets the policy actions applied by CrowdStrike Falcon. |
| CrowdStrike Falcon Sandbox - Detonate file | Deprecated. Use the cs-falcon-sandbox-submit-file command with polling=true instead. |
| CrowdStrike Rapid IOC Hunting | Deprecated. Use "CrowdStrike Rapid IOC Hunting v2" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\nAlso use AnalystEmail label to determine where to send an email alert if something is found. |
| CrowdStrike Rapid IOC Hunting v2 | Deprecated. Use CrowdStrike Falcon instead. |
| CVE Enrichment - Generic | Deprecated. Use "CVE Enrichment - Generic v2" playbook instead. Enrich CVE using one or more integrations. |
| CVE Enrichment - Generic v2 | This playbook performs CVE Enrichment using the following integrations: - VulnDB - CVE Search - IBM X-Force Exchange |
| CVE Exposure - RiskSense | Block IPs and apply the tag to assets that are vulnerable to the specified CVE. |
| CVE-2021-22893 - Pulse Connect Secure RCE | On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: |
| CVE-2021-34527 | CVE-2021-1675 - PrintNightmare | The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: More details on the vulnerabilities: |
| CVE-2021-40444 - MSHTML RCE | CVE-2021-4044 refers to the MSHTML engine, that has been found vulnerable to arbitrary code execution by a specially crafted Microsoft Office document or rich text format file. Mitigations: Researchers have validated this attack triggered in Windows Explorer with “Preview Mode” enabled, even in just a rich-text format RTF file [not an Office file and without ActiveX]. This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation mentioned above. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. More information: Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. |
| CVE-2021-44228 - Log4j RCE | Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution [RCE] vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept [PoC] code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 [excluding security fix releases 2.3.2 and 2.12.4]. Affected Version Apache Log4j 2.x Advanced -> Lists]. Note: Sending emails require an active Mail Sender integration instance. |
| CreateFileFromPathObject | This automation is being executed by the "GetFilePathPreProcessing" pre-processing script that collects the paths and names of attachments of an incoming incident, then passes it to this automation that reads the files and creates them in an existing incident |
| CreateHash | Creating a hash of a given input, support sha1, sha256, sha512, md5 and blake. Wrapper for //docs.python.org/3/library/hashlib.html. |
| CreateHashIndicatorWrapper | This is a wrapper to allow or block hash lists from Cortex XDR, MSDE or CrowdStrike. |
| CreateIndicatorsFromSTIX | Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0. |
| CreatePlbkDoc | Purpose: This automation will produce docx file detailing the tasks in the given playbook. It can produce a table or paragraph format of the report. Author: Mahmood Azmat Input1: Name of the playbook [Mandatory] Requirements: This automation requires "Demisto REST API" integration enabled and connected to the XSOAR itself. Automation uses it to read the objects of the playbook. |
| CrowdStrikeApiModule | Common CrowdStrike code that will be appended to each CrowdStrike integration when it is deployed to enable oauth2 authentication automatically. |
| CrowdStrikeStreamingPreProcessing | Pre processing script for CrowdStrike Streaming, will not duplicate incidents[detection events] that have same Host. Will add entry to duplicate[older] incident notifying a duplicate incident was ignored. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| CrowdStrikeUrlParse | Deprecated. Use CrowdStrike Falcon instead. |
| CryptoCurrenciesFormat | Verifies that a crypto address is valid and only returns the address if it is valid. |
| CSVFeedApiModule | Common code that will be appended into each CSV feed integration when it's deployed |
| CuckooDetonateFile | Deprecated. Use the 'cuckoo-create-task-from-file' command instead. |
| CuckooDetonateURL | Deprecated. Use 'cuckoo-create-task-from-url' instead. |
| CuckooDisplayReport | Display the contents of a Cuckoo report file from a war room entry. |
| CuckooGetReport | Deprecated. Use the 'cuckoo-get-task-report' command instead. |
| CuckooGetScreenshot | Deprecated. Use 'cuckoo-task-screenshot' command instead. |
| CuckooTaskStatus | Deprecated. Use the 'cuckoo-view-task' command instead. |
| CustomContentBundleWizardry | This automation accepts an XSOAR custom content bundle, and either returns a list of file names, or the files you want to the war room. |
| Cut | Cut a string by delimiter and return specific fields. Example ================= input: "A-B-C-D-E" delimiter: "-" fields: "1,5" return: "A-E" |
| cveReputation | Provides severity of CVE based on CVSS score where available |
| CybereasonPreProcessingExample | Preprocessing script to run when fetching Cybereason malops. Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident. |
| CybersixgillActionableAlertStatusUpdate | Updates the Actionable alert status. |
| CYFileRep | Deprecated. This script is deprecated. Use the Cylance integration instead. |
| Cyren-Find-Similar-Incidents | Finds similar incidents by Cyren Case ID This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| Cyren-Show-Threat-Indicators | Displays threat indicators in readable format This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| CyrenCountryLookup | Translates a country code provided by Cyren products to a full country name [English]. Uses ISO 3166-1 alpha-2 for the lookup. |
| CyrenThreatInDepthRandomHunt | This script will take a random Cyren Threat InDepth feed indicator and its relationships and create a threat hunting incident for you. The main query parameters for the resulting, internal indicator query are: 1. Seen for the first time by the feed source within the last 7 days. |
| CyrenThreatInDepthRelatedWidget | Shows feed relationship data in a table with the ability to navigate |
| CyrenThreatInDepthRelatedWidgetQuick | Shows limited feed relationship data in a table with the ability to navigate |
| CyrenThreatInDepthRenderRelated | Shows feed relationship data in a table with the ability to navigate |
| D2ActiveUsers | Show local accounts |
| D2Autoruns | Used by the server-side script "Autoruns". Uses d2 agent on endpoint to run SysInternals Autoruns. |
| D2Drop | Drop a file to a target system by providing its path on the server. Use CopyFileD2 instead in most cases. This is a utility agent script to be used inside server scripts. See CopyFileD2 for an example. |
| D2Exec | Execute the command and pack the output back to server |
| D2ExecuteCommand | Run a D2 built-in command on a D2 agent |
| D2GetFile | Get a file from a system using D2 agent. |
| D2GetSystemLog | Copy a log file. Works on Windows and Unix [differently - take a peek at the script itself to see how]. |
| D2Hardware | Show system information |
| D2O365ComplianceSearch | Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server. |
| D2O365SearchAndDelete | Assign a 'Mailbox Import Export' management role to a user. This script runs through the agent on a Windows machine, pulls and executes a PowerShell script - which talks to the Exchange server. |
| D2PEDump | Execute PE Dump on a file that is under /tmp somewhere. Used internally by StaticAnalyze |
| D2Processes | Show running processes |
| D2RegQuery | Use the D2 agent to retrieve the value of the given registry key. |
| D2Rekall | Use the D2 agent to execute Rekall on a system [usually a forensics workstation] and analyze a memory dump file located on that system. |
| D2Services | Show system services |
| D2Users | Show local accounts |
| D2Winpmem | Use the D2 agent to carry the winpmem binary to a system and return the memory dump file to the war room. This usually takes a while, depending on amount of RAM in the target system. |
| DamSensorDown | Pre processing script for Emails from Mcafee DAM, about sensor disconnected. Will ignore second notification, but will process first notification into incidents. |
| DataDomainReputation | Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 [0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad]. If the indicator reputation was manually set, the manual value will be returned. |
| DateTimeToADTime | Converts unix time to AD Integer8 time. This is used in many AD date fields like pwdLastSet |
| DateToTimeStamp | Converts a date to timestamp. |
| DBotAverageScore | Calculates average score for each indicator from context |
| DBotBuildPhishingClassifier | Create a phishing classifier using machine learning technique, based on email content. |
| DBotClosedIncidentsPercentage | Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts |
| DBotPredictOutOfTheBoxV2 | Predict phishing incidents using the out-of-the-box pre-trained model. |
| DBotPredictPhishingEvaluation | Deprecated. This script is deprecated. See //xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPredictPhishingWords | Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. |
| DBotPredictTextLabel | Deprecated. This script is deprecated. See //xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPredictURLPhishing | Predict phishing URLs using a pre-trained model. |
| DBotPreparePhishingData | Deprecated. This script is deprecated. See //xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotPreProcessTextData | Pre-process text data for the machine learning text classifier. |
| DBotTrainTextClassifier | Deprecated. This script is deprecated. See //xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| DBotTrainTextClassifierV2 | Train a machine learning text classifier. |
| DBotUpdateLogoURLPhishing | Add, remove, or modify logos from the URL Phishing model. |
| DecodeMimeHeader | Decode MIME base64 headers. |
| DeduplicateValuesbyKey | Given a list of objects and a key found in each of those objects, return a unique list of values associated with that key. Returns error if the objects provided do not contain the key of interest. |
| DefaultIncidentClassifier | Deprecated. Classify an incident from mail. |
| DeleteContext | Delete field from context. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| DeleteReportedEmail | Use this script to delete a reported phishing email from the mailbox it was reported to |
| DemistoCreateList | Create a new list |
| DemistoGetIncidentTasksByState | Get all tasks for specific incident by the given state. |
| DemistoLeaveAllInvestigations | Leaves all investigations that the user is part of [clears out the incidents in the left pane]. Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server. |
| DemistoLinkIncidents | Link two or more incidents |
| DemistoLogsBundle | Gets Demisto Log Bundle to war room |
| DemistoSendInvite | Send invitation to join Demisto |
| DemistoUploadFile | Deprecated. Use DemistoUploadFileV2 instead. |
| DemistoUploadFileToIncident | Deprecated. Use the DemistoUploadFileV2 script instead. Copies a file from this incident to the specified incident. The file is uploaded as an attachment to the specified incident’s Summary page, and recorded as an entry in the War Room. |
| DemistoUploadFileV2 | Copies a file from this incident to the specified incident. The file is recorded as an entry in the specified incident’s War Room. |
| DemistoVersion | Return the Demisto server version. |
| Dig | DNS lookup utility to provide 'A' and 'PTR' record |
| DisplayCVEChartScript | Display bar chart based on cves count and trending cves count with the different colors. |
| DisplayEmailHtml | Displays the original email in HTML format. |
| DisplayEmailHtmlThread | Dynamic-section script for 'Email Threads' layout. This script renders all email messages with the thread number specified in the "Email Selected Thread" field and outputs them as a single HTML output. |
| DisplayHTML | Display HTML in the War Room. |
| DisplayIndicatorReputationContent | Display the indicator context object in markdown format in a dynamic section layout |
| DisplayTaggedWarroomEntries | Display warroom entries in a dynamic section which are tagged with 'report' |
| DlpAskFeedback | Sends a message via Slack or MS Teams to the user whose file upload violated DLP policies and triggered the incident. |
| DockerHardeningCheck | Checks if the Docker container running this script has been hardened according to the recommended settings at: //docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html |
| DomainReputation | A context script for Domain entities |
| DsSearchQueryArray | Combines an array of queries to as few as possible whilst staying under the maximum term count. |
| DT | This automation allows the usage of DT scripts within playbooks transformers |
| DumpJSON | Dumps a json from context key input, and returns a json object string result |
| EditServerConfig | Edit the server configuration [under settings/troubleshooting]. You can either add a new configuration or update and remove an existing one. |
| EmailAskUser | Ask a user a question via email and process the reply directly into the investigation. |
| EmailAskUserResponse | Extract user's response from EmailAskUser reply. Returns the first textual response line of the provided entry that contains the reply body. Use ${lastCompletedTaskEntries} to analyze the previous playbook task containing the user's reply. |
| EmailDomainSquattingReputation | Check if an email address's domain is trying to squat other domain using Levenshtein distance algorithm |
| emailFieldTriggered | Sends email to incident owner when selected field is triggered. |
| EmailReputation | A context script for Email entities |
| EmailSLABreach | This is used to complete the Scheduled command if the either/both the users respond in time. The time is configured on the EmailUserSLA. |
| EncodeToAscii | Input Text Data to Encode as ASCII [Ignores any chars that aren't interpreted as ASCII] |
| EntryWidgetCoAHandled | Entry widget that shows the number of techniques that were already handled by the CoA playbooks. |
| EntryWidgetCoATechniquesList | Entry widget that shows the number of techniques that were not yet handled by the CoA playbooks. |
| EntryWidgetPortBasedRules | Entry widget that returns the number of port based rules found by PAN-OS policy optimizer. |
| EntryWidgetUnusedApplications | Entry widget that returns the number of rules with unused applications found by PAN-OS policy optimizer. |
| EntryWidgetUnusedRules | Entry widget that returns the number of unused rules found by PAN-OS policy. optimizer. |
| EnumerateRoles | The script will enumerate any provided role names and output the list of users for each role. |
| EPOFindSystem | Deprecated. Use the "McAfe ePO v2 integration command epo-find-system" instead. Return system info |
| EsmExample | Deprecated. Example of using McAfee ESM [Nitro] with advanced filters |
| Etl2Pcap | Receives an ETL file and converts it to a PCAP file. |
| ExampleJSScript | This is only an example script, to showcase how to use and write JavaScript scripts |
| ExchangeAssignRole | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExchangeDeleteMail | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExchangeSearchMailbox | Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead. |
| ExifRead | Read image files metadata and provide Exif tags |
| Exists | Check if a given value exists in the context. Will return 'no' for empty empty arrays. To be used mostly with DQ and selectors. |
| ExpanseAggregateAttributionCI | Aggregate entries from ServiceNow CMDB into AttributionCI |
| ExpanseAggregateAttributionDevice | Aggregate entries from multiple sources into AttributionDevice |
| ExpanseAggregateAttributionIP | Aggregate entries from multiple sources into AttributionIP |
| ExpanseAggregateAttributionUser | Aggregate entries from multiple sources into AttributionUser |
| ExpanseEnrichAttribution | This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details |
| ExpanseEvidenceDynamicSection | Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure. |
| ExpanseGenerateIssueMapWidgetScript | This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. The map is generated as a static PNG file embedded in Markdown. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| ExpansePrintSuggestions | Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner. |
| ExpanseRefreshIssueAssets | Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context. |
| ExportToCSV | Export given array to csv file |
| ExportToXLSX | Exports context data to a Microsoft Excel Open XML Spreadsheet [XLSX] file. |
| ExposeIncidentOwner | Expose the incident owner into IncidentOwner context key |
| ExtFilter | Advanced Filter. It enables you to make filters with complex conditions. |
| ExtractDomainAndFQDNFromUrlAndEmail | Extracts domains and FQDNs from URLs and emails. |
| ExtractDomainFromIOCDomainMatchRes | Extracts domain and its details from the Chronicle IOC Domain match response. |
| ExtractDomainFromUrlAndEmail | Extract Domain[s] from URL[s] and/or Email[s] |
| ExtractEmailTransformer | Extracts email addresses from the given value. |
| ExtractEmailV2 | Verifies that an email address is valid and only returns the address if it is valid. |
| ExtractFQDNFromUrlAndEmail | Extracts FQDNs from URLs and emails. |
| ExtractHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic: - If table has a single column, just create an array of strings from the values - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value - If table has a header row, create a table of objects where attribute names are the headers - If table does not have a header row, create table of objects where attribute names are cell1, cell2, cell3... |
| ExtractInbetween | Extract a string from an existing string. |
| ExtractIndicatorsFromTextFile | Extract indicators from a text-based file. Indicators that can be extracted: IP Domain URL File Hash * Email Address This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| FailedInstances | Executes a test for all integration instances available and returns detailed information about succeeded and failed integration instances. |
| FeedRelatedIndicatorsWidget | Widget script to view information about the relationship between an indicator, entity and other indicators and connect to indicators, if relevant. |
| FetchFileD2 | Get a File from using a D2 agent |
| FetchIndicatorsFromFile | Fetches indicators from a file. Supports TXT, XLS, XLSX, CSV, DOC and DOCX file types. |
| FileCreateAndUpload | Deprecated. Use FileCreateAndUploadV2 instead. Will create a file [using the given data input or entry ID] and upload it to current investigation war room. |
| FileCreateAndUploadV2 | Creates a file [using the given data input or entry ID] and uploads it to the current investigation War Room. |
| FileReputation | A context script for hash entities |
| FileToBase64List | Encode a file as base64 and store it in a Demisto list. |
| FilterByList | Checks whether the specified item is in a list. The default list is the Demisto Indicators Whitelist. |
| FindEmailCampaign | Find a campaign of emails based on their textual similarity. |
| findIncidentsWithIndicator | Lookup incidents with specified indicator. Use currentIncidentId to omit the existing incident from output. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| FindSimilarIncidents | Finds similar incidents by common incident keys, labels, custom fields or context keys. It's highly recommended to use incident keys if possible [e.g., "type" for the same incident type]. For best performance, it's recommended to avoid using context keys if possible [for example, if the value also appears in a label key, use label]. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| FireEyeApiModule | Common FireEye code that will be appended to each FireEye integration when it is deployed. |
| FireEyeDetonateFile | Detonate File or URL through FireEye |
| ForescoutEyeInspectButtonGetPCAP | Get PCAP of a Forescout EyeInspect incident |
| ForescoutEyeInspectButtonGetVulnerabilityInfo | Get information of a CVE from Forescout EyeInspect CVEs DB. |
| ForescoutEyeInspectButtonHostChangeLog | Get change log of Forescout EyeInspect hosts. |
| FormatACTIURL | Helps to fetch ACTI Intelligence Report/Alert URL and converts it to uuid. |
| FormatContentData | This script formats the value given input from a JSON list into table. |
| FormatURL | Strips, unquotes and unescapes URLs. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. |
| ForwardAuditLogsToSplunkHEC | This Automation script uses the XSOAR API to get the audit logs and pushes them to Splunk HEC. Dependencies: SlunkPy and Demisto REST API integrations |
| FPDeleteRule | Deletes a rule in Forcepoint Triton. |
| FPSetRule | Adds [or updates existing] rule in Forcepoint Triton. Preserves order of rules and modifies policy in-place if a rule exists with the exact type and value. |
| GenerateInvestigationSummaryReport | A script to generate investigation summary report in an automated way Can be used in post-processing flow as well. |
| GeneratePANWIoTDeviceTableQueryForServiceNow | Generates a single query or query list with which to query in ServiceNow. |
| GeneratePassword | This function generates a password and allows various parameters to customize the properties of the password depending on the use case [e.g. password complexity requirements]. The default behavior is to generate a password of random length including all four character classes [upper, lower, digits, symbols] with at least five and at most ten characters per class. The min* values all default to 0. This means that if the command is executed in this
way: The debug parameter will print certain properties of the command into the WarRoom for easy diagnostics. |
| GenerateRandomString | Generates random string |
| GenerateRandomUUID | Generates a random UUID [UUID 4]. |
| GenerateSummaryReportButton | This button will generate summary 'Case Report' template for a given Incident |
| GenerateSummaryReports | Generate report summaries for the passed incidents. |
| GenericPollingScheduledTask | Runs the polling command repeatedly, completes a blocking manual task when polling is done. |
| GetAwayUsers | Returns a list of all the users marked as away in Cortex XSOAR. |
| GetBrandDeleteReportedEmail | Gets all the enabled instances of integrations that can be used by the DeleteReportedEmail script, in the output format of a single select field. |
| GetCampaignIncidentsInfo | Creates a channel in Slack v2 or in Microsoft Teams. If both Slack v2 and Microsoft Teams are available, it creates the channel in both Slack v2 and Microsoft Teams. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GetCampaignLowerSimilarityIncidentsIdsAsOptions | Gets the IDs of incidents with lower similarity. Used to fill the optional values of the multi-select "Phishing Campaign Select Campaign Lower Similarity Incidents" incident field. |
| GetCampaignLowSimilarityIncidentsInfo | Gets the campaign incidents with low similarity information as a markdown table. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GetCiscoISEActiveInstance | Determines which configured Cisco ISE instance is in active/primary state and returns the name of the instance. |
| GetDockerImageLatestTag | Gets docker image latest tag. Script simulates the docker pull flow but doesn't actually pull the image. Returns an entry with the docker image latest tag if all is good, otherwise will return an error. |
| GetDomainDNSDetails | Returns DNS details for a domain |
| GetEnabledInstances | Gets all currently enabled integration instances. |
| GetEntries | Collect entries matching to the conditions in the war room |
| GetErrorsFromEntry | Get the error[s] associated with a given entry/entries. Use ${lastCompletedTaskEntries} to check the previous task entries. The automation will return an array of the error contents from those entries. |
| GetEWSFolder | Get emails from multiple folders of an account all at once. |
| GetFailedTasks | Gets failed tasks details for incidents based on a query. Limited to 1000 incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GetFields | Retrieves fields from an object using dot notation |
| GetFilePathPreProcessing | This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident. It should be configured as a pre-processing rule, and the logic for finding the right incident should be added to the code manually. The automation collects the paths and names of the attachments of the incoming incident and passes it to the "CreateFileFromPathObject" automation that is being executed on the existing incident |
| GetIncidentsByQuery | Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GetIndicatorDBotScore | Add into the incident's context the system internal DBot score for the input indicator. |
| GetIndicatorDBotScoreFromCache | Get the overall score for the indicator as calculated by DBot. |
| GetIndicatorsByQuery | Gets a list of indicator objects and the associated indicator outputs that match the specified query and filters. The results are returned in a structured data file. |
| GetInstanceName | Given an integration name, returns the instance name. |
| GetInstances | Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name [vendor]. |
| GetListRow | Parses a list by header and value. |
| getMlFeatures | Deprecated. This script is deprecated. See //xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information. |
| GetMLModelEvaluation | Finds a threshold for ML model, and performs an evaluation based on it |
| GetNumberOfUsersOnCall | Retrieves the number of users who are currently on call. |
| GetOnCallHoursPerUser | Retrieves the number of on call hours per user. |
| GetPrBranches | Field-display script that gets the branch names from "Pull Request Creation" incidents to use in the "Pull Request Branch" incident field. |
| GetRange | Gets specified indexes of a list. |
| GetRolesPerShift | Retrieves the roles that are available per shift. |
| GetShiftsPerUser | Retrieves the number of on-call hours per user. |
| GetStringsDistance | Get the string distance between inputString and compareString [compareString can be a comma-separated list] based on Levenshtein Distance algorithm. |
| GetTasksWithSections | Groups all tasks for a specific incident according to the task headers [titles]. |
| GetTime | Retrieves the current date and time. |
| GetUsersOnCall | Retrieves users who are currently on call. |
| GetUsersOOO | Retrieves users who are currently out of the office. The script use the OutOfOfficeListCleanup script to remove users from the out-of-office list whose 'off until day' is in the past. |
| GIBIncidentUpdate | This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GIBIncidentUpdateIncludingClosed | This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| GLPIIncidentStatus | populates the value of the GLPI Ticket State field and display it in a layout widget. |
| GoogleappsRevokeUserRole | Deprecated. Deletes a role assignment. |
| GoogleAuthURL | Deprecated. This script is deprecated. The demistobot endpoint is no longer supported. |
| GrrGetFiles | Deprecated. Use grr_get_files instead. |
| GrrGetFlows | Deprecated. Use grr-get-flows instead. |
| GrrGetHunt | Deprecated. Use grr_get_hunt instead. |
| GrrGetHunts | Deprecated. Use grr_get_hunts instead. |
| GrrSetFlows | Deprecated.Use grr-set-flows instead. |
| GrrSetHunts | Deprecated. Use grr_set_hunts instead. |
| GSuiteApiModule | Common G Suite code that will be appended to each Google/GSuite integration when it is deployed. |
| HashIncidentsFields | Hash fields from the incident list. Search for incidents by arguments with an option to hash some of its fields. |
| HelloWorldPremiumScript | Hello World Premium Script |
| HelloWorldScript | Hello World Script |
| Hey | Use rakyll/hey to test a web application with a load of requests. |
| hideFieldsOnNewIncident | When you apply this script to an incident field, that incident field is hidden for new incidents, and it displays in edit mode. |
| HighlightWords | Highlight words inside a given text. |
| http | Sends http request. Returns the response as json. |
| HTTPFeedApiModule | Common HTTP feed code that will be appended into each HTTP feed integration when it's deployed |
| HTTPListRedirects | List the redirects for a given URL |
| HttpV2 | Sends a HTTP request with advanced capabilities |
| IAMApiModule | Common code that will be appended into each IAM integration when it's deployed. |
| IdentifyAttachedEmail | Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team. |
| If-Then-Else | A transformer for simple if-then-else logic. |
| IgnoreFieldsFromJson | Removed selected fields from the JSON object. |
| ImpSfListEndpoints | The endpoints list request enables a client application to receive a list of all managed and unmanaged endpoints, with their basic details. This list can then be externally filtered or searched by the application to identify individual endpoints that might require action. For any such endpoint, the application can obtain fuller details [see Endpoint Details Request below] and if relevant change its enrollment status. |
| ImpSfRevokeUnaccessedDevices | Getting all devices data from server, if a device haven't been accessed to in over two months [and is still managed], the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail |
| ImpSfScheduleTask | Creating a schedule task that's call ImpSfRevokeUnaccessedDevices: Getting all devices data from server, if a device haven't been accessed to in over two months [and is still managed], the script will send the corresponding user a warning mail. If it's haven't been accessed to in over three months, the script will revoke the device credentials and notify the user by mail |
| ImpSfSetEndpointStatus | Deprecated. Call imp-sf-set-endpoint-status directly. No available replacement. |
| IncapGetAppInfo | Use this operation to retrieve a list of all the client applications |
| IncapGetDomainApproverEmail | Use this operation to get the list of email addresses that can be used when adding an SSL site |
| IncapListSites | List sites for an account |
| IncapScheduleTask | This script periodically runs the "IncapWhitelistCompliance" script, which queries the Incapsula monitored websites for white-list compliance [see script for further details]. The script then saves the new periodic ID into incident context under the "ScheduleTaskID" key for later use. |
| IncapWhitelistCompliance | Get all sites from Incapsula. For each site, the script, through a ssh server [one that should NOT be in the allow list], make sure the site is compliant [ allow list is being enforced ]. If not, a warning mail will be sent to the domain owner. |
| IncidentAddSystem | Add a remote system [such as a desktop under investigation] to an investigation [this will allow you to install and agent on the system] |
| IncidentFields | Returns a dict of all incident fields that exist in the system. |
| IncidentsCheck-NumberofIncidentsNoOwner | Health Check dynamic section, showing the number of unassigned incidents. |
| IncidentsCheck-NumberofIncidentsWithErrors | Health Check dynamic section, showing the number of failed incidents. |
| IncidentsCheck-NumberofTotalEntriesErrors | Health Check dynamic section, showing the total number of errors in failed incidents. |
| IncidentsCheck-PlaybooksFailingCommands | Health Check dynamic section, showing the top ten commands of the failed incidents in a pie chart. |
| IncidentsCheck-PlaybooksHealthNames | Health Check dynamic section, showing the top ten playbook names of the failed incidents in a bar chart. |
| IncidentsCheck-Widget-CommandsNames | Data output script for populating the dashboard pie graph widget with the top failing incident commands. |
| IncidentsCheck-Widget-CreationDate | Data output script for populating the dashboard line graph widget with the creation date of failing incidents. |
| IncidentsCheck-Widget-IncidentsErrorsInfo | Data output script for populating the dashboard table graph widget with the information about failing incidents. |
| IncidentsCheck-Widget-NumberFailingIncidents | Data output script for populating dashboard number graph widget with the number of failing incident. |
| IncidentsCheck-Widget-NumberofErrors | Data output script for populating the dashboard number graph widget with the number of entries ID errors. |
| IncidentsCheck-Widget-PlaybookNames | Data output script for populating the dashboard bar graph widget with the top failing playbooks name. |
| IncidentsCheck-Widget-UnassignedFailingIncidents | Data output script for populating the dashboard number graph widget with the number of unassigned failing incidents. |
| IncidentState | This script is used as dynamic section to desplay in the layout one of the incident state. |
| IncreaseIncidentSeverity | Optionally increases the incident severity to the new value if it is greater than the existing severity. |
| IndicatorMaliciousRatioCalculation | Return indicators appears in resolved incidents, and resolved incident ids. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| InRange | checks if left side is in range of right side [from,to anotation] e.g. - InRange left=4right=1,8 will return true. |
| InstancesCheck-FailedCategories | Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart. |
| InstancesCheck-NumberofEnabledInstances | Health Check dynamic section, showing the total number of checked integrations. |
| InstancesCheck-NumberofFailedInstances | Health Check dynamic section, showing the total number of failed integrations. |
| IntegrationsCheck-Widget-IntegrationsCategory | Data output script for populating the dashboard pie graph widget with the failing integrations. |
| IntegrationsCheck-Widget-IntegrationsErrorsInfo | Data output script for populating the dashboard table graph widget with the information about failing integrations. |
| IntegrationsCheck-Widget-NumberChecked | Data output script for populating the dashboard number graph widget with the number of checked integrations. |
| IntegrationsCheck-Widget-NumberFailingInstances | Data output script for populating the dashboard number graph widget with the number of failing integrations. |
| IntezerRunScanner | Deprecated. D2 agent is deprecated. No available replacement. |
| IntezerScanHost | Deprecated. D2 agent is deprecated. No available replacement. |
| InvertEveryTwoItems | This transformer will invert every two items in an array. Example: ["A", "B", "C", "D"] Result: ["B", "A", "D", "C"] If the total of items in the array is an odd number the last item will be removed If the item is not an array the output will be same passed object. |
| InvestigationDetailedSummaryParse | Parses attacks from context, and shows them according to the MITRE technique they use. |
| InvestigationDetailedSummaryToTable | Shows InvestigationDetailedSummaryParse results as a markdown table |
| InvestigationSummaryParse | Retrieves information from previously run reputation commands and aggregates their results. |
| InvestigationSummaryToTable | Creates a human readable table from ParseMalware context results. |
| iot-security-alert-post-processing | IoT alert post processing script to resolve the alert in IoT security portal using API |
| iot-security-check-servicenow | Close the XSOAR incident if the IoT ServiceNow ticket was closed. This command should be run in a Job. |
| iot-security-get-raci | IoT RACI model script |
| iot-security-vuln-post-processing | IoT vulnerability post processing script to resolve the vulnerability incident in IoT security portal using API |
| IPCalcCheckSubnetCollision | An automation script to return subnet collision result |
| IPCalcReturnAddressBinary | An automation script to return address in binary format |
| IPCalcReturnAddressIANAAllocation | An automation script to return address IANA information |
| IPCalcReturnSubnetAddresses | An automation script to return subnet addresses |
| IPCalcReturnSubnetBroadcastAddress | An Automation Script to return subnet broadcast address |
| IPCalcReturnSubnetNetwork | An Automation Script to return subnet network ID |
| IPReputation | A context script for IP entities |
| IPToHost | Try to get the hostname correlated with the input IP. |
| IqHubLog | Logs detection and progression count with respective links to confluera's IQ-Hub portal in tabular format |
| IronscalesEmailFieldTrigger | Automatically changes email field when choosing classification |
| isArrayItemInList | This automation is for comparing array[list] data of context to existing lists on XSOAR server. You can avoid using loop of sub-playbook. inputArray: the context array/list data listName: the XSOAR system list |
| IsDemistoRestAPIInstanceAvailable | Checks if the provided Demisto REST API instance is available for the XSOAR Simple Dev to Prod workflow. |
| IsEmailAddressInternal | Checks if the email address is part of the internal domains |
| isError | Check whether given entry/entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If array is provided, will return yes if one of the entries returned an error. |
| IsGreaterThan | Checks if one number[float] as bigger than the other[float] Returns yes: if first > second Returns no: if first = secondPercentage Returns exception if one of the inputs is not a float |
| LinkIncidentsButton | Incident action button script to link or unlink Incidents from an Incident |
| LinkIncidentsWithRetry | Use this script to avoid DB version errors when simultaneously running multiple linked incidents. |
| ListDeviceEvents | List all of the events discovered within your enterprise on a particular device within 2 hours earlier than the current time. |
| listExecutedCommands | Lists executed commands in War Room |
| ListInstalledContentPacks | This script will show all installed content packs and whether they have an update. |
| ListUsedDockerImages | List all Docker images that are in use by the installed integrations and automations. |
| LoadJSON | Loads a json from string input, and returns a json object result |
| MaliciousRatioReputation | Set indicator reputation to "suspicious" when malicious ratio is above threshold. Malicious ratio is the ration between number of "bad" incidents to total number of incidents the indicator appears in. |
| ManageOOOusers | Adds or removes an analyst from the out-of-office list in XSOAR. When used with the AssignAnalystToIncidentOOO automation, prevents incidents from being assigned to an analyst who is out of office. |
| MapPattern | This transformer will take in a value and transform it based on multiple condition expressions [wildcard, regex, etc] defined in a JSON dictionary structure. The key:value pair of the JSON dictionary should be: "condition expression": "desired outcome" For example: { The transformer will return the value matched to a pattern following to the priority. |
| MapRaDarkIncidentDetails | Map details to an RaDark incident. |
| MapValues | Map the given values to the translated values. If given values: a,b,c and translated: 1,2,3 then input is a will return 1 |
| MapValuesTransformer | This script converts the input value into another value using two lists. The input value is searched in the first list [input_values]. If it exists, the value from the second list [mapped_values] at the same index is retutrned. If there is no match, the original value is returned. If the original input is a dictionary, then the script will look for a "stringified" version of the key/:/value pair in the input_values and then map the result in the output_values into the original "value". Example 1: input_values = "1,2,3,4" Output would be "2" Example 2: input_values ="firstkey: datahere,secondkey: datathere" Output would be: The reason for matching the key AND value pair in a dictionary is to allow the mappig of values that have a specific key name. In most cases, dictionaries will continan key-value pairs in which the values are the same. You might want to change the value of KeyA, but not the value of KeyB. This method gives control over which key is changed. When the input is a dict, str , int, or list, the output is ALWAYS returned as a string. |
| MarkAsEvidenceBySearch | Search entries in the war room for the pattern text, and mark them as evidence. |
| MarkAsNoteBySearch | Search entries in the war room for the pattern text, and mark as note to the entries found. |
| MarkAsNoteByTag | Mark entries as notes if they are tagged with given tag |
| MarkdownToHTML | Converts Markdown to HTML. |
| MarkRelatedIncidents | Marks given incidents as related to current incident. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| MatchIPinCIDRIndicators | Match provided IP address in all the Indicators of type CIDR with the provided tags [longest match]. |
| MatchRegex | Deprecated. Use the MatchRegexV2 script instead. |
| MatchRegexV2 | Extracts regex data from the provided text. The script support groups and looping. |
| MathUtil | Script will run the provided mathematical action on 2 provided values and produce a result. The result can be stored on the context using the contextKey argument |
| MattermostAskUser | Ask a user a question on Mattermost and expect a response. The response can also close a task [might be conditional] in a playbook. |
| MaxList | Gets the maximum value from list e.g. ["25", "10", "25"] => "25" |
| MergeDictArray | Each entry in an array is merged into the existing array if the keyed-value matches. |
| MicrosoftApiModule | Common Microsoft code that will be appended into each Microsoft integration when it's deployed |
| MicrosoftAzureStorageApiModule | Common Microsoft Azure Storage code that will be appended into each Microsoft Azure Storage integration. |
| MicrosoftTeamsAsk | Send a team member or channel a question with predefined response options on Microsoft Teams. The response can be used to close a task [might be conditional] in a playbook. |
| MimecastFindEmail | Find an email across all mailboxes, and return the list of mailboxes where the email was found, as well as Yes if the mail was found anywhere or No otherwise. |
| MimecastQuery | Deprecated. Use mimecsat-query command instead. |
| MinList | Gets the minimum value from list e.g. ["25", "10", "25"] => "10" |
| MITREIndicatorsByOpenIncidents | Deprecated. Use FeedMitreAttackv2 instead. |
| MITREIndicatorsByOpenIncidentsV2 | This is a widget script returning MITRE indicators information for top indicators shown in incidents. |
| ModifyDateTime | Takes a date or time input and adds or subtracts a determined amount of time. Returns a string in date or time in ISO Format. |
| NCSCReportDetails | This script generates the report details used in the final report. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NCSCReportDetails_A | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NCSCReportDetails_B | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NCSCReportDetails_C | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NCSCReportDetails_D | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NCSCReportOverview | This script generates the report details for the individual CAF Section. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| NetwitnessQuery | Deprecated. No available replacement. Performs a query against the meta database |
| NetwitnessSAAddEventsToIncident | This command will add new events to an existing NetWitness SA incident |
| NetwitnessSACreateIncident | Create an incident inside NetWitness SA from a set of NetWitness events. |
| NetwitnessSAGetAvailableAssignees | Returns the available NetWitness SA users to be assigned to incidents |
| NexposeCreateIncidentsFromAssets | Deprecated. No available replacement. Create incidents based on the Nexpose asset ID and vulnerability ID. Duplicate incidents are not created for the same asset ID and vulnerability ID. |
| NexposeEmailParser | Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server. |
| NexposeEmailParserForVuln | Parses nexpose report into a clear table that contain risk score and vulnerability count for each server, And creates a new incident for each server. |
| NexposeVulnExtractor | Parse a specific server nexpose response in to a table of vulnerabilities. |
| NGINXApiModule | Common NGINX code that will be appended into each NGINX based integration when it's deployed |
| NotInContextVerification | Not in context verification is a script that executes the given command and verifies that the specified field is not in the context after execution. |
| Oletools | This is an automation to run oletools malware analysis for office files. Oletools is a tool for analyzing Microsoft OLE2 files, such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics, and debugging. This automation allows performing some basic oletools commands from Cortex XSOAR. Note that oletools is open source code and is subject to change. |
| OnboardingCleanup | Cleanup the incidents and indicators created by OnboardingIntegration This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| OnionURLReputation | This script adds the reputation to Onion URL indicators. The script is automatically triggered when a Onion URL indicator is auto-extracted. For instance, if you run a Cortex XSOAR CLI on a valid Onion URL, the indicators are extracted automatically and this script is triggered for the extracted indicators. |
| OSQueryBasicQuery | Returns the results from a basic OSQuery query on a remote Linux machine. For more information read documentation at //osquery.readthedocs.io/ |
| OSQueryLoggedInUsers | Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead. |
| OSQueryOpenSockets | Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path '' or remote_address '';' instead. |
| OSQueryProcesses | Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead. |
| OSQueryUsers | Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead. |
| Osxcollector | Execute osxcollector on machine, can run ONLY on OSX |
| OutOfOfficeListCleanup | Removes any users from the out-of-office list whose 'off until day' is in the past. |
| PagerDutyAlertOnIncident | Send incident details to pagerduty [useful to include in playbooks] |
| PagerDutyAssignOnCallUser | By default assigns the first on-call user to an investigation [all incidents in the investigation will be owned by the on call user] |
| PanoramaCVECoverage | Check coverage given a list of CVEs. |
| PanoramaSecurityPolicyMatchWrapper | A wrapper script for the panorama-security-policy-match command that receives multiple values for the source, destination, and destination port arguments and performs the policy match for each combination of the inputs. |
| ParseCSV | This script will parse a CSV file and place the unique IPs, Domains and Hashes into the context. |
| ParseEmailFiles | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. |
| ParseEmailFilesV2 | Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. This script is based on the parse-emails XSOAR python package, check the script documentation for more info |
| ParseExcel | The automation takes Excel file [entryID] as an input and parses its content to the war room and context |
| ParseHTMLIndicators | This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. |
| ParseHTMLTables | Find tables inside HTML and extract the contents into objects using the following logic: - If table has 2 columns and has no header row, treat the first column as key and second as value and create a table of key/value |
| ParseJSON | Parse a given JSON string "value" to a representative object. Example: '{"a": "value"}' => {"a": "value"}. |
| ParseWordDoc | Takes an input docx file [entryID] as an input and saves an output text file [file entry] with the original file's contents. |
| ParseYAML | Parses a YAML string into context |
| PcapConvert | Convert packet data to the standard pcap. Currently it only supports CDL[NGFW] pcap from which to convert. |
| PcapExtractStreams | Extract payloads of each stream from a pcap. The payloads will be retrieved with an array of dictionaries of these keys: - protocol - client_ip - client_port - server_ip - server_port - stream_size - stream_text - stream_base64 - outgoing_size - outgoing_text - outgoing_base64 - incoming_size - incoming_text - incoming_base64 |
| PcapFileExtractor | This automation extracts all possible files from a PCAP file. |
| PcapFileExtractStreams | Extract payloads of each stream from a pcap file. |
| PcapHTTPExtractor | Allows to parse and extract http flows [requests & responses] from a pcap/pcapng file. |
| PCAPMiner | Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId="". To get the entry id click on the link on the top right hand corner of a file attachment. |
| PcapMinerV2 | PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more. This automation takes about a minute to process 20,000 packets [which is approximately 10MB]. If you want to mine large files you can either: a] Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller. b] Copy the automation and change the `default timeout` parameter to match your needs. |
| PDFUnlocker | Removing the password protection from a PDF file and adding a new file entry with the unlocked PDF. |
| PenfieldAssign | PenfieldAssign will use the Penfield.AI integration's penfield-get-assignee command to determine who an incident should be assigned to, then print the selected analyst to the War Room and overwrite the owner property. |
| PerformActionOnCampaignIncidents | Perform user actions such as link, close, etc., on selected incidents from a campaign. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| PHash | Script to create a perceptual hash of an image [or file] stored in the incident. Wrapps //pypi.org/project/ImageHash/ |
| PortListenCheck | Checks whether a port was open on given host. |
| PrepareArcannaRawJson | Loads a json from string input, and returns a json escaped result. |
| PreprocessEmail | Preprocessing script for email communication layout. This script checks if the incoming email contains an Incident ID to link the mail to an existing incident, and tags the email as "email-thread". This script runs with elevated permissions. Cortex XSOAR recommends using the built-in RBAC functionality to limit access to only those users requiring access to this script. For more information about the preprocessing rules, refer to: //demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing |
| Prints text to war room [Markdown supported] | |
| PrintContext | Pretty-print the contents of the playbook context |
| PrintErrorEntry | Prints an error entry with a given message |
| PrintRaw | Prints a raw representation of a string or object, visualising things likes tabs and newlines. For instance, '\n' will be displayed instead of a newline character, or a Windows CR will be displayed as '\r\n'. This is useful for debugging issues where things aren't behaving as expected, such as when parsing a string with a regular expression. |
| PrismaCloudAttribution | Recursively extracts specified fields from provided list of assets for Prisma Cloud attribution use case. |
| ProvidesCommand | Finds which integrations implement a specific Demisto command. The results will be returned as comma-separated values [CSV]. The "Demisto REST API" integration must first be enabled. |
| PTEnrich | Deprecated. No available replacement. Enrich the given IP or domain with metadata, malware, osint. |
| PublishEntriesToContext | Publish entries to incident's context |
| PWEventPcapDownload | Deprecated. No available replacement. |
| PWObservationPcapDownload | Deprecated. No available replacement. |
| QRadarCreateAQLQuery | Build QRadar AQL Query. |
| QRadarFetchedEventsSum | This display the amount of fetched events vs the total amount of events in the offense. |
| QRadarMagnitude | This enables to color the field according to the magnitude. The scale is 1-3 green 4-7 yellow 8-10 red |
| QRadarMirroringEventsStatus | This displays the mirrored events status in the offense. |
| QRadarPrintAssets | This script prints the assets fetched from the offense in a table format. |
| QRadarPrintEvents | This script prints the events fetched from the offense in a table format. |
| QualysCreateIncidentFromReport | Create incidents from a Qualys report [XML], based on the Qualys asset ID and vulnerability ID [QID]. Duplicate incidents are not created for the same asset ID and QID. |
| RandomElementFromList | randomly select elements from a list in Python |
| RandomPhotoNasa | This automation script will pull a random image from //images.nasa.gov based on the search parameter provided. If the script is used within a widget, it will output an image in markdown format. If it is used anywhere else it will output an image in markdown format and also context data. |
| RapidBreachResponse-CompletedTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of completed tasks. |
| RapidBreachResponse-EradicationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of eradication tasks. |
| RapidBreachResponse-HuntingTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of hunting tasks. |
| RapidBreachResponse-MitigationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of mitigation tasks. |
| RapidBreachResponse-RemainingTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of remaining tasks. |
| RapidBreachResponse-RemediationTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of remediation tasks. |
| RapidBreachResponse-TotalIndicatorCount-Widget | Rapid Breach Response dynamic section, will show the updated number of indicators found. |
| RapidBreachResponse-TotalTasksCount-Widget | Rapid Breach Response dynamic section, will show the updated number of tasks to complete. |
| RapidBreachResponseParseBlog | Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog. |
| ReadFile | Load the contents of a file into context. |
| ReadNetstatFile | Load and return the processes file [generated from the cs-falcon-rtr-list-network-stats command] content. |
| ReadNetstatFileWrapper | This Automation is a wrapper - If the CrowdStrike key is present in context, ReadNetstatFile will be executed and displayed. Else, 'No data on Netstat found' will be displayed. |
| ReadPDFFileV2 | Load a PDF file's content and metadata into context. |
| ReadProcessesFile | Load and return the processes file [generated from the cs-falcon-rtr-list-processes command] content. |
| ReadProcessesFileXDR | Return a process list from the XDRIR integration. |
| ReadProcessFileWrapper | This Automation is a wrapper - If PaloAltoNetworksXDR is in context - ReadProcessesFileXDR will be executed and displayed. if CrowdStrike is in context - ReadProcessesFile will be executed and displayed. else 'No data on Process List found' will be displayed. |
| RecordedFutureDomainRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureHashRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureIPRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureURLRiskList | Deprecated. Use Recorded Future v2 instead. |
| RecordedFutureVulnerabilityRiskList | Deprecated. Use Recorded Future v2 instead. |
| redactindicator | Redactindicator can help you to defang/redact any kind of indicator [IPv4, url, domain and email], IP addresses will be in the dotted representation like 8.8.8[.].8, all domains will be example[.]com. Optional you can define a "searchkey" which does not to be case sensitive, which will be replaced as |
| RegexExpand | Extract the strings matched to the patterns by doing backslash substitution on the template string. This transformer allow to input multiple regex patterns and multiple match targets, and those can be given in the input value and the argument parameters. |
| RegexReplace | Format patterns matched with regex. If the regex does not match any pattern, the original value is returned. Example 1: Example 2: output_format: name=\1 -> output value: xxx=yyy |
| RegistryParse | This command uses the Registry Parse automation to extract critical forensics data from a registry file. The essential values are specified by the argument. |
| RegPathReputationBasicLists | Deprecated. No available replacement. |
| RemoteExec | Execute a command on a remote machine [without installing a D2 agent] |
| RemoveEmpty | Remove empty items, entries or nodes from the array. |
| RemoveEmptyEvidence | The automation removes evidence based on a query performed on the evidence content, if the provided string is found within the evidence- it will be removed. |
| RemoveFileWrapper | This script allows removing specified files using Cortex XDR, CrowdStrike and Microsoft Defender [Advanced Threat Protection]. |
| RemoveKeyFromList | Removes a key in key/value store backed by an XSOAR list. |
| RepopulateFiles | After running DeleteContext, this script can repopulate all the file entries in the ${File} context key |
| ResolveShortenedURL | Resolve the original URL from the given shortened URL and place it in both as output and in the context of a playbook. [//unshorten.me/api] |
| RestartFailedTasks | Use this Script to re-run failed tasks. Run in the same incident after running `GetFailedTasks` for restarting all of the failed tasks or some of them. |
| RetrievePlaybooksAndIntegrations | Retrieves all Playbook [and Sub-Playbook] Names and Integrations for a provided Playbook name |
| ReverseList | Reverse a list e.g. ["Mars", "Jupiter", "Saturn"] => ["Saturn", "Jupiter", "Mars"] This is an example for entire-list transformer - it operates the argument as a list [note the "entirelist" tag] |
| RiskIQDigitalFootprintAssetDetailsWidgetScript | Shows the detailed information of an asset identified as a "RiskIQAsset" type of indicator in the layout of the indicator. |
| RiskIQPassiveTotalComponentsScript | Enhancement script to enrich PassiveTotal components for Domain and IP type of indicators. |
| RiskIQPassiveTotalComponentsWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalHostPairChildrenScript | Enhancement script to enrich PassiveTotal host pair of children for Domain and IP type of indicators. |
| RiskIQPassiveTotalHostPairParentsScript | Enhancement script to enrich PassiveTotal host pair of parents for Domain and IP type of indicators. |
| RiskIQPassiveTotalHostPairsChildrenWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalHostPairsParentsWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalPDNSScript | Enhancement script to enrich PDNS information for Domain and IP type of indicators. |
| RiskIQPassiveTotalPDNSWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalSSLForIssuerEmailWidgetScript | Set widgets to custom layout in Email and RiskIQAsset type of indicators. |
| RiskIQPassiveTotalSSLForSubjectEmailWidgetScript | Set widgets to custom layout in Email and RiskIQAsset type of indicators. |
| RiskIQPassiveTotalSSLScript | Enhancement script to enrich SSL information for Email, File SHA-1 and RiskIQSerialNumber type of indicators. |
| RiskIQPassiveTotalSSLWidgetScript | Set widgets to custom layout in Email, RiskIQSerialNumber and File SHA-1 type of indicators. |
| RiskIQPassiveTotalTrackersScript | Enhancement script to enrich web trackers information for Domain and IP type of indicators. |
| RiskIQPassiveTotalTrackersWidgetScript | Set widgets to custom layout in Domain, IP and RiskIQ Asset type of indicators. |
| RiskIQPassiveTotalWhoisScript | Enhancement script to enrich whois information for Domain and Email type of indicators. |
| RiskIQPassiveTotalWhoisWidgetScript | Set widgets to custom layout in Domain, Email and RiskIQ Asset type of indicators. |
| RiskSenseGetRansomewareCVEScript | This script is a helper script of Ransomware Exposure - RiskSense playbook and retrieve information of cves and trending cves from host finding details. |
| RSSWidget | Script Widget - RSS Feed. |
| RubrikCDMClusterConnectionState | Shows the Rubrik Radar amount of Files Added. |
| RubrikRadarFilesAdded | Shows the Rubrik Radar amount of Files Added. |
| RubrikRadarFilesDeleted | Shows the Rubrik Radar amount of Files Deleted. |
| RubrikRadarFilesModified | Shows the Rubrik Radar amount of Files Modified. |
| RubrikSonarOpenAccessFiles | Shows the Rubrik Polaris Sonar Open Access Files Count. |
| RubrikSonarSensitiveHits | Shows the Rubrik Polaris Sonar data classification results. |
| RubrikSonarTotalHits | Shows the Rubrik Polaris Sonar Total Hits. |
| RunDockerCommand | This command will allow you to run commands against a local Docker Container. You can run commands like wc for instance with word count, or other types of commands that you want on the docker container. We recommend for tools that you want to use that are not part of the default Docker container, to cope this Automation script and then create a customer docker container with /docker_image_create with a custom docker container to add any command level tool to Demisto and output the results directly to the context. |
| RunPollingCommand | Runs a specified polling command one time. This is useful for initiating a local playbook context before running a polling scheduled task. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SalesforceAskUser | Ask a user a question via Salesforce Chatter and process the reply directly into the investigation. |
| SandboxDetonateFile | Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead. |
| SanePdfReports | Parse Sane-json-reports and export them as pdf files [used internally]. |
| SbDownload | Use the Download API to have a client application download files generated by the Check Point Threat Prevention service: analysis reports, Threat Emulation sandbox outputs, and more. The request must have the ID of the file to download |
| SbQuery | Use the Query API to have a client application look for either the analysis report of a specific file on the Check Point Threat Prevention service databases or the status of a file, uploaded for analysis |
| SbQuota | Use the Quote API to have a client application get the current license and quota status of the API Key that you use |
| SbUpload | Use the Upload API to have a client application request that Check Point Threat Prevention modules scan and analyze a file. When you upload a file to the service, the file is encrypted. It is un-encrypted during analysis, and then deleted |
| ScheduleCommand | Schedule a command to run inside the war room at a future time [once or reoccurring] |
| ScheduleGenericPolling | Called by the GenericPolling playbook, schedules the polling task. |
| SCPPullFiles | Take a list of devices and pull a specific file [given by path] from each using SCP |
| SearchIncidentsV2 | Searches Demisto incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SearchIndicatorRelationships | This automation outputs the indicator relationships to context according to the provided query, using the entities, entityTypes, and relationships arguments. All arguments will use the AND operator. For example, using the following arguments entities=8.8.8.8 entities_types=Domain will provide only relationships that the 8.8.8.8 indicator has with indicators of type domain. |
| SearchIndicators | Deprecated. Use the SixgillSearchIndicators script instead. |
| SendAllPANWIoTAssetsToSIEM | Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server. |
| SendAllPANWIoTDevicesToCiscoISE | Gets all available devices from the IoT cloud and updates or creates them on Cisco ISE using the custom attributes. |
| SendAllPANWIoTDevicesToServiceNow | Gets all available devices from the IoT cloud and sends them to the ServiceNow. server |
| SendEmailOnSLABreach | Sends an email informing the user of an SLA breach. The email is sent to the user who is assigned to the incident. It includes the incident name, ID, name of the SLA field that was breached, duration of that SLA field, and the date and time when that SLA was started. In order to run successfully, the script should be configured to trigger on SLA breach, through field edit mode. |
| SendEmailReply | Send email reply This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: //docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html |
| SendMessageToOnlineUsers | Send message to Demisto online users over Email, Slack, Mattermost or all. |
| SendPANWIoTDevicesToCiscoISE | This script takes [as a required argument] custom attributes from PANW IoT cloud and creates or updates endpoints in ISE with the input custom attributes. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SEPCheckOutdatedEndpoints | Check if any endpoints are using an AV definition that is not the latest version. |
| ServiceNowApiModule | Common ServiceNow code that will be appended to each ServiceNow integration when it is deployed to automatically enable OAuth2 authentication. |
| ServiceNowCreateIncident | This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily. |
| ServiceNowIncidentStatus | populates the value of the ServiceNow Ticket State field and display it in a layout widget. |
| ServiceNowQueryIncident | This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily. |
| ServiceNowUpdateIncident | This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily. |
| Set | Set a value in context under the key you entered. |
| SetAndHandleEmpty | Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SetByIncidentId | Works the same as the 'Set' command, but can work across incidents by specifying 'id' as an argument. Sets a value into the context with the given context key. Doesn't append by default. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SetDateField | Sets a custom incident field with current date |
| SetGridField | Creates a Grid table from items or key-value pairs. |
| SetIfEmpty | Checks an object for an empty value and returns a pre-set default value. |
| SetIRProceduresMarkdown | Creates markdown tables based on information from the GetTasksWithSection command. |
| SetMultipleValues | Set multiple keys/values to the context. |
| SetSeverityByScore | Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments. |
| SetTagsBySearch | Search entries in the war room for the pattern text, and set tags to the entries found. |
| SetTime | Fill the current time in a custom incident field |
| ShowCampaignLastIncidentOccurred | Displays the occurrence date of the last campaign incident. |
| ShowCampaignRecipients | Displays the phishing campaign recipients' email addresses and the number of incidents each email address appears in. |
| ShowCampaignSenders | Displays the phishing campaign senders' email addresses and the number of incidents each email address appears in. |
| ShowCampaignSimilarityRange | Displays the similarity range between the incidents that make up the phishing campaign. |
| ShowLocationOnMap | Show indicator geo location on map |
| ShowOnMap | Returns a map entry with a marker on the given coordinates [lat,lng], or address [requires a configured GoogleMaps instance]. |
| ShowScheduledEntries | Show all scheduled entries for specific incident. |
| SiemApiModule | Helpers and iteration logic using pydantic for Siem apps. |
| SixgillSearchIndicators | Search for Indicators |
| SlackAsk | Sends a message [question] to either user [in a direct message] or to a channel. The message includes predefined reply options. The response can also close a task [might be conditional] in a playbook. |
| SlackAskV2 | Sends a message [question] to either user [in a direct message] or to a channel. The message includes predefined reply options. The response can also close a task [might be conditional] in a playbook. |
| SlackBlockBuilder | SlackBlockBuilder will format a given Slack block into a format readable by the SlackV3 integration. The script will also send the block to the given destination. |
| Sleep | Sleep for X seconds |
| SplitCampaignContext | Splits incidents in the context data to below and above a similarity threshold. If a low similarity incident was already added to the campaign, then it will also be considered in the higher similarity incidents list. This automation runs using the default Limited User role, unless you explicitly change the permissions. |
| SplunkCIMFields | Convert Splunk CIM Fields Dynamic Into Fields Value |
| SplunkEmailParser | Deprecated. Classify an incident created from an email originating from Splunk.\nThe mail type should be in plain text, and inline - table should be selected.\nParsing is done in the following manner -\ntype is the header sourcetype, severity is the mail importance level, \nthe incident name is the mail subject and the systems are taken from host. |
| SplunkPySearch | Deprecated. No available replacement. Run a query through Splunk and format the results as a table. |
| SplunkShowAsset | Automation to display asset objects from Splunk. |
| SplunkShowDrilldown | Automation to display drilldown search results from Splunk. |
| SplunkShowIdentity | Automation to display identity objects from Splunk. |
| SSDeepReputation | Calculate ssdeep reputation based on similar files [by ssdeep similarity] on the system. |
| SSDeepSimilarity | This script finds similar files that can be related to each other by fuzzy hash [SSDeep]. |
| STA-FetchListContent | This script will get the Unusual Activity Group from "sta_unusual_activity_group" List. |
| STA-PostProcessing | Post processing script to remove the user from the Unusual Activity Group on Close Form. |
| StaticAnalyze | For phishing incidents, iterate on all attachments and run PE dump on each |
| StixCreator | Gets a list of indicators from the indicators argument, and generates a JSON file in STIX 2.0 format. |
| StopScheduledTask | This stops the scheduled task whose ID is given in the taskID argument. |
| StopTimeToAssignOnOwnerChange | Stops the "Time To Assign" timer if the owner of the incident was changed. |
| StringContainsArray | Checks whether a substring or an array of substrings is within a string array[each item will be checked]. Supports single strings as well. For example, for substrings ['a','b','c'] in a string 'a' the script will return true. |
| StringifyArray | Return the string encoded with JSON from the whole array |
| StringLength | Returns the length of the string passed as argument |
| StringReplace | Replaces regex match/es in string. Returns the string after replace was preformed. |
| Strings | Extract strings from a file with optional filter - similar to binutils strings command |
| StringToArray | Converts string to array. For example: `//example.com/?score:1,4,time:55\` will be transformed to `["//example.com/?score:1,4,time:55"]`. |
| StripAccentMarksFromString | Strip accent marks [diacritics] from a given string. For example: "Niño שָׁלוֹם Montréal اَلسَّلَامُ عَلَيْكُمْ" Will return: "Nino שלום Montreal السلام عليكم" |
| SuggestBranchName | The script gets the pack name as input and suggests an available branch name, for example: pack name is "MyPack" the branch name will be "MyPack". If a branch with the name "MyPack" exists, the script return "MyPack_1". |
| SummarizeEmailThreads | Dynamic-section script for 'Email Threads' layout. This script searches for email threads stored in the Incident context and outputs a table summarizing them. |
| TaniumFilterComputersByIndexQueryFileDetails | Get the requested sensors from all machines where the Index Query File Details match the given filter. E.g. !TaniumFilterQuestionByIndexQueryFileDetails sensors="Computer Name" filter_type=contains filter_value=Demisto limit=5 will be translated the following plain text Tanium question: "Get Computer Name from all machines with any Index Query File Details[, , , , , , *, 5] containing "Demisto"" |
| TAXII2ApiModule | Common TAXII 2 code that will be appended into each TAXII 2 integration when it's deployed |
| TextFromHTML | Extract regular text from the given HTML |
| ticksToTime | Converting time in Ticks to readable time. Ticks are used to represent time by some vendors, most commonly by Microsoft. |
| TimersOnOwnerChange | Stops the "Time To Assignment" timer once an owner is assigned to the Incident Starts the "Remediation SLA' timer once an owner is assigned to the Incident |
| TimeStampCompare | Compares a single timestamp to a list of timestamps. |
| TimeStampToDate | Converts UNIX Epoch time stamp to a simplified extended ISO format string. Use it to convert time stamp to Demisto date field e.g. 1525006939 will return '2018-04-29T13:02:19.000Z' |
| TimeToNextShift | Retrieves the time left until the next shift begins. |
| TitaniamFindIncidents | Search for protected or unprotected incidents. |
| TitaniamPreProcessRule | Protect incident sensitive information per specified mapping schema. |
| TitaniamProtectField | Protect, unprotect sensitive information per specified mapping schema/brand. |
| TitaniamProtectIncident | Protect/Unprotect [Code/Decode] incident sensitive information per specified mapping schema. |
| TopMaliciousRatioIndicators | Find the top malicious ratio indicators. Malicious ratio is defined by the ratio between the number of "bad" incidents divided by the number of total number of incidents that the indicators appears in. |
| ToTable | Convert an array to a nice table display. Usually, from the context. |
| TransformIndicatorToCSFalconIOC | Transform a XSOAR indicator into a Crowd Strike Falcon IOC. The output [found at the TransformIndicatorToCSFalconIOC.JsonOutput context path] is a JSON, which represents the indicators in CS Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command. |
| TransformIndicatorToMSDefenderIOC | Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output [at TransformIndicatorToMSDefenderIOC.JsonOutput] is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command. |
| TrendmicroAlertStatus | Deprecated. No available replacement. |
| TrendmicroAntiMalwareEventRetrieve | Deprecated. No available replacement. |
| TrendMicroClassifier | Deprecated. No available replacement. |
| TrendMicroGetHostID | Deprecated. No available replacement. |
| TrendMicroGetPolicyID | Deprecated. No available replacement. |
| TrendmicroHostAntimalwareScan | Deprecated. No available replacement. |
| TrendmicroHostRetrieveAll | Deprecated. No available replacement. |
| TrendmicroSecurityProfileAssignToHost | Deprecated. No available replacement. |
| TrendmicroSecurityProfileRetrieveAll | Deprecated. No available replacement. |
| TrendmicroSystemEventRetrieve | Deprecated. No available replacement. |
| UnEscapeIPs | Remove escaping chars from IP 127[.]0[.]0[.]1 -> 127.0.0.1 |
| UnEscapeURLs | Extract URLs redirected by security tools like Proofpoint. Changes //urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html -> //example.com/something.html Also, un-escape URLs that are escaped for safety with formats like hxxps://www[.]demisto[.]com |
| UnPackFile | Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context. supported types are: 7z [.7z], ACE [.ace], ALZIP [.alz], AR [.a], ARC [.arc], ARJ [.arj], BZIP2 [.bz2], CAB [.cab], compress [.Z], CPIO [.cpio], DEB [.deb], DMS [.dms], GZIP [.gz], LRZIP [.lrz], LZH [.lha, .lzh], LZIP [.lz], LZMA [.lzma], LZOP [.lzo], RPM [.rpm], RAR [.rar], RZIP [.rz], TAR [.tar], XZ [.xz], ZIP [.zip, .jar] and ZOO [.zoo] |
| UnzipFile | Unzip a file using fileName or entryID to specify a file. Unzipped files will be loaded to the War Room and names will be put into the context. |
| URLDecode | Converts %2F%2Fexample.com into //example.com |
| URLNumberOfAds | Fetches the numbers of ads in the given url |
| URLReputation | A context script for URL entities |
| UrlscanGetHttpTransactions | Deprecated. No available replacement. |
| URLSSLVerification | Verify URL SSL certificate |
| UserEnrichAD | Deprecated. Use ADGetUser instead. |
| UtilAnyResults | Utility script to use in playbooks - returns "yes" if the input is non-empty. |
| ValidateContent | Runs validation and linting using the Demisto SDK on content items, such as integrations, automations and content packs. This automation script is used as part of the content validation that runs as part of the contribution flow. |
| VerifyEnoughIncidents | Check whether a given query returns enough incidents. |
| VerifyHumanReadableContains | Verify given entry contains a string |
| VerifyIntegrationHealth | Checks for existing errors in a given integration. |
| VerifyIPv4Indicator | Verify that the address is a valid IPv4 address. |
| VerifyIPv6Indicator | Verify that the address is a valid IPv6 address. |
| VerifyJSON | Verifies if the supplied JSON string is valid and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet. |
| VerifyObjectFieldsList | Verifies that a given object includes all the given fields. |
| VersionEqualTo | Tests whether left side version number is equal to right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VersionGreaterThan | Tests whether left side version number is greater than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VersionLessThan | Tests whether left side version number is less than right side version number. Version numbers need to have at least a major and minor version component to be considered valid. E.g. 1.0 |
| VolApihooks | Volatility script for command apihooks |
| Volatility | Execute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command. |
| VolConnscan | Volatility script for command connscan |
| VolDlllist | Volatility script for command ldrmodules |
| VolGetProcWithMalNetConn | Volatility script for getting the list of processes that have connections to ip address with bad reputation. |
| VolImageinfo | Volatility script for command imageinfo |
| VolJson | Execute volatility with command and file as parameters and return output as json. |
| VolLDRModules | Volatility script for command ldrmodules |
| VolMalfind | Volatility script for command ldrmodules |
| VolMalfindDumpAgent | Volatility script for command ldrmodules |
| VolNetworkConnections | Volatility script for finding all the network connections. This script runs through different commands based on the profile provided. |
| VolPSList | Volatility script for command pslist |
| VolRaw | Execute volatility with command and file as parameters and returns raw output from stdout. |
| VolRunCmds | Execute volatility with command and return tabular output. Incase where proper json output is not supported, scripts returns error. User should use raw command. |
| WaitAndCompleteTask | Wait and complete tasks by given status. Used for test playbooks. |
| WaitForKey | A simple loop to inspect the context for a specific key. If the key is not found after "iterations" loops, the script exits with a message. |
| WebScraper | An Automation Script to Web Scrap a URL or HTML Page |
| WhereFieldEquals | Return all items from the list where their given 'field' attribute is equal to 'equalTo' argument E.g. !WhereFieldEquals with the following arguments: Will return all items names where field 'type' equals 'IP' - ['192.1,0.82', '172.0.0.2'] |
| XBInfo | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBLockouts | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBNotable | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBTimeline | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBTriggeredRules | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| XBUser | Deprecated. This script is deprecated. Use the Exabeam integration instead. |
| xsoar-ws-parse-context | To parse the context data after running xsoar-ws-get-action-status and resend emails to recipients who have not responded |
| YaraScan | Performs a Yara scan on the specified files. |
| ZipFile | Zip a file and upload to war room |
| ZipStrings | Joins values from two lists by index according to a given format. |
| ZTAPBuildTimeline | Deprecated. Comment ingestion simplified and audit log ingestion removed. No available replacement. Adds unmarked log/comment notes as evidence in the timeline. |
| ZTAPExtractFields | Extracts ZTAP fields into a format parsable to grab as indicators |
| ZTAPParseFields | Parses ZTAP event fields to display as key/value pairs in a dynamic table. |
| ZTAPParseLinks | Parses ZTAP external links to display in a dynamic table. |
API Reference#
| Demisto Class | The object exposes a series of API methods which are used to retrieve and send data to the Cortex XSOAR Server. |
| Common Server Python | Common functions that will be appended to the code of each integration/script before being executed. |
Content Release Notes#
| Content Release 22.2.0 | Published on 09 February 2022 |
| Content Release 22.1.0 | Published on 24 January 2022 |
| Content Release 21.12.1 | Published on 21 December 2021 |
| Content Release 21.12.0 | Published on 07 December 2021 |
| Content Release 21.11.1 | Published on 23 November 2021 |
| Content Release 21.11.0 | Published on 09 November 2021 |
| Content Release 21.10.1 | Published on 26 October 2021 |
| Content Release 21.10.0 | Published on 12 October 2021 |
| Content Release 21.9.1 | Published on 29 September 2021 |
| Content Release 21.9.0 | Published on 14 September 2021 |
| Content Release 21.8.2 | Published on 31 August 2021 |
| Content Release 21.8.1 | Published on 17 August 2021 |
| Content Release 21.8.0 | Published on 03 August 2021 |
| Content Release 21.7.1 | Published on 20 July 2021 |
| Content Release 21.7.0 | Published on 06 July 2021 |
| Content Release 21.6.1 | Published on 22 June 2021 |
| Content Release 21.6.0 | Published on 08 June 2021 |
| Content Release 21.5.1 | Published on 25 May 2021 |
| Content Release 21.5.0 | Published on 11 May 2021 |
| Content Release 21.4.1 | Published on 27 April 2021 |
| Content Release 21.4.0 | Published on 13 April 2021 |
| Content Release 21.3.2 | Published on 30 March 2021 |
| Content Release 21.3.1 | Published on 16 March 2021 |
| Content Release 21.3.0 | Published on 02 March 2021 |
Additional archived release notes are available here.
How does EDL work in Palo Alto?
The EDL Hosting Service is a list of Software-as-a-Service [SaaS] application endpoints maintained by Palo Alto Networks. Each Feed URL below contains an external dynamic list [EDL] that is checked daily for any new endpoints added to the publicly available Feed URLs published by the SaaS application provider.
What is external dynamic?
External dynamic content lets you pull in and populate campaign content using an external URL endpoint. You can pass data to your URL by attaching contact data fields to the query string.
What are Palo Alto bulletproof IP addresses?
Palo Alto Networks Bulletproof IP Addresses—Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.