Playbooks

Name SOAR App D3FEND Use Case
AD LDAP Account Locking AD LDAP D3-AL Phishing Endpoint
AD LDAP Account Unlocking AD LDAP
AD LDAP Entity Attribute Lookup AD LDAP Enrichment
AWS IAM Account Locking AWS IAM D3-AL Phishing Endpoint
AWS IAM Account Unlocking AWS IAM D3-RUAA
Active Directory Disable Account Dispatch AD LDAP, Azure AD Graph D3-AL Phishing Endpoint
Active Directory Enable Account Dispatch AD LDAP, Azure AD Graph, AWS IAM
Attribute Lookup Dispatch Enrichment
Automated Enrichment
Azure AD Account Locking Azure AD Graph D3-AL Phishing Endpoint
Azure AD Account Unlocking Azure AD Graph D3-RUAA
Azure AD Graph User Attribute Lookup Azure AD Graph Enrichment
Cisco Umbrella DNS Denylisting Cisco Umbrella D3-DNSDL Phishing Endpoint
CrowdStrike OAuth API Device Attribute Lookup CrowdStrike OAuth API Enrichment Endpoint
CrowdStrike OAuth API Dynamic Analysis CrowdStrike OAuth API D3-DA Enrichment Phishing Endpoint
CrowdStrike OAuth API Identifier Activity Analysis CrowdStrike OAuth API D3-IAA Enrichment Endpoint
DNS Denylisting Dispatch D3-DNSDL Phishing Endpoint
Dynamic Analysis Dispatch D3-DA Enrichment Phishing Endpoint
G Suite for GMail Message Identifier Activity Analysis G Suite for GMail D3-IAA Phishing
G Suite for Gmail Message Eviction G Suite for GMail D3-ER Phishing
G Suite for Gmail Search and Purge G Suite for GMail D3-ER D3-IAA Phishing
Identifier Activity Analysis Dispatch D3-IAA Enrichment
Identifier Reputation Analysis Dispatch D3-IRA Enrichment
Jira Related Tickets Search Jira D3-IRA
MS Graph for Office 365 Message Eviction MS Graph for Office 365 D3-ER Phishing
MS Graph for Office 365 Message Identifier Activity Analysis MS Graph for Office 365 D3-IAA Phishing
MS Graph for Office 365 Message Restore MS Graph for Office 365 D3-RE Phishing
MS Graph for Office 365 Search and Purge MS Graph for Office 365 D3-ER D3-IAA Phishing
MS Graph for Office 365 Search and Restore MS Graph for Office 365 D3-RE Phishing
Panorama Outbound Traffic Filtering Panorama D3-OTF Phishing Endpoint
PhishTank URL Reputation Analysis PhishTank D3-IRA Enrichment Phishing
Related Tickets Search Dispatch Enrichment
ServiceNow Related Tickets Search ServiceNow D3-IRA Enrichment
Splunk Attack Analyzer Dynamic Analysis Splunk Attack Analyzer Connector for Splunk SOAR D3-DA Enrichment Phishing Endpoint
Splunk Automated Email Investigation D3-DA D3-SRA Phishing
Splunk Identifier Activity Analysis Splunk D3-IAA Enrichment
Splunk Message Identifier Activity Analysis Splunk D3-IAA Phishing
Splunk Notable Related Tickets Search Splunk Enrichment
URL Outbound Traffic Filtering Dispatch D3-OTF Phishing Endpoint
UrlScan IO Dynamic Analysis urlscan.io D3-DA Enrichment Phishing Endpoint
VirusTotal V3 Dynamic Analysis VirusTotal v3 D3-DA Enrichment Phishing Endpoint
VirusTotal v3 Identifier Reputation Analysis VirusTotal v3 D3-IRA D3-URA D3-DNRA D3-IPRA D3-FHRA Enrichment
Windows Defender ATP Identifier Activity Analysis Windows Defender ATP D3-IAA Enrichment Endpoint
ZScaler Outbound Traffic Filtering Zscaler D3-OTF Phishing Endpoint
ActiveDirectory Reset password AD LDAP
AWS Disable User Accounts AWS IAM
AWS Find Inactive Users AWS IAM, Phantom
Block Indicators Palo Alto Networks Firewall, Carbon Black Response, Cisco Umbrella
Crowdstrike Malware Triage CrowdStrike OAuth API
Delete Detected Files Windows Remote Management
Email Notification for Malware VirusTotal, WildFire, Carbon Black Response, SMTP
Hunting Splunk, Reversing Labs, Carbon Black Response, Threat Grid, Falcon Host API
Internal Host Splunk Investigate log4j Splunk
Internal Host SSH Investigate SSH
Internal Host SSH Log4j Investigate SSH
Internal Host SSH Log4j Respond SSH
Internal Host WinRM Investigate Windows Remote Management
Internal Host WinRM Log4j Investigate Windows Remote Management
Internal Host WinRM log4j Respond Windows Remote Management
Log4j Investigate
Log4j Respond
Malware Hunt and Contain LDAP, ServiceNow, Carbon Black Response, VirusTotal
Ransomware Investigate and Contain Carbon Black Response, LDAP, Palo Alto Networks Firewall, WildFire, Cylance
Risk Notable Block Indicators
Risk Notable Enrich
Risk Notable Import Data Splunk
Risk Notable Investigate
Risk Notable Merge Events
Risk Notable Mitigate
Risk Notable Preprocess Splunk
Risk Notable Protect Assets and Users
Risk Notable Review Indicators
Risk Notable Verdict
Start Investigation
Threat Intel Investigate
TruSTAR Enrich Indicators TruSTAR