Playbooks

Name SOAR App D3FEND Use Case
AD LDAP Account Locking AD LDAP Account Locking Phishing, Endpoint
AD LDAP Account Unlocking AD LDAP    
AD LDAP Entity Attribute Lookup AD LDAP   Enrichment
AWS Disable User Accounts AWS IAM    
AWS Find Inactive Users AWS IAM, Phantom    
AWS IAM Account Locking AWS IAM Account Locking Phishing, Endpoint
AWS IAM Account Unlocking AWS IAM    
Active Directory Disable Account Dispatch AD LDAP, Azure AD Graph Account Locking Phishing, Endpoint
Active Directory Enable Account Dispatch microsoft_ad_ldap, azure_ad_graph, aws_iam    
Active Directory Reset password AD LDAP    
Attribute Lookup Dispatch     Enrichment
Automated Enrichment      
Azure AD Account Locking Azure AD Graph Account Locking Phishing, Endpoint
Azure AD Account Unlocking Azure AD Graph    
Azure AD Graph User Attribute Lookup Azure AD Graph   Enrichment
Block Indicators Palo Alto Networks Firewall, Carbon Black Response, Cisco Umbrella    
Cisco Umbrella DNS Denylisting Cisco Umbrella DNS Denylisting Phishing, Endpoint
CrowdStrike OAuth API Device Attribute Lookup CrowdStrike OAuth API   Enrichment, Endpoint
CrowdStrike OAuth API Dynamic Analysis CrowdStrike OAuth API Dynamic Analysis Enrichment, Phishing, Endpoint
CrowdStrike OAuth API Identifier Activity Analysis CrowdStrike OAuth API Identifier Activity Analysis Enrichment, Endpoint
Crowdstrike Malware Triage CrowdStrike OAuth API    
DNS Denylisting Dispatch   DNS Denylisting Phishing, Endpoint
Delete Detected Files Windows Remote Management    
Dynamic Analysis Dispatch   Dynamic Analysis Enrichment, Phishing, Endpoint
Email Notification for Malware VirusTotal, WildFire, Carbon Black Response, SMTP    
G Suite for GMail Message Identifier Activity Analysis G Suite for GMail Identifier Activity Analysis Phishing
G Suite for Gmail Message Eviction G Suite for GMail   Phishing
G Suite for Gmail Search and Purge G Suite for GMail   Phishing
Hunting Splunk, Reversing Labs, Carbon Black Response, Threat Grid, Falcon Host API    
Identifier Activity Analysis Dispatch   Identifier Activity Analysis Enrichment
Identifier Reputation Analysis Dispatch   Identifier Reputation Analysis Enrichment
Internal Host SSH Investigate SSH    
Internal Host SSH Log4j Investigate SSH    
Internal Host SSH Log4j Response SSH    
Internal Host WinRM Investigate Windows Remote Management    
Internal Host WinRM Log4j Investigate Windows Remote Management    
Internal Host WinRM Response Windows Remote Management    
Jira Related Tickets Search Jira    
Log4j Investigate      
Log4j Respond      
Log4j Splunk Investigation Splunk    
MS Graph for Office 365 Message Eviction MS Graph for Office 365   Phishing
MS Graph for Office 365 Message Identifier Activity Analysis MS Graph for Office 365 Identifier Activity Analysis Phishing
MS Graph for Office 365 Message Restore MS Graph for Office 365   Phishing
MS Graph for Office365 Search and Purge MS Graph for Office 365   Phishing
MS Graph for Office365 Search and Restore MS Graph for Office 365   Phishing
Malware Hunt and Contain LDAP, ServiceNow, Carbon Black Response, VirusTotal    
Panorama Outbound Traffic Filtering Panorama   Phishing, Endpoint
PhishTank URL Reputation Analysis PhishTank Identifier Reputation Analysis Enrichment, Phishing
Ransomware Investigate and Contain Carbon Black Response, LDAP, Palo Alto Networks Firewall, WildFire, Cylance    
Related Tickets Search Dispatch     Enrichment
Risk Notable Block Indicators      
Risk Notable Enrich      
Risk Notable Import Data Splunk    
Risk Notable Investigate      
Risk Notable Merge Events      
Risk Notable Mitigate      
Risk Notable Preprocess Splunk    
Risk Notable Protect Assets and Users      
Risk Notable Review Indicators      
Risk Notable Verdict      
ServiceNow Related Tickets Search ServiceNow   Enrichment
Splunk Attack Analyzer Dynamic Analysis Splunk Attack Analyzer Connector for Splunk SOAR Dynamic Analysis Enrichment, Phishing, Endpoint
Splunk Automated Email Investigation   Dynamic Analysis Phishing
Splunk Identifier Activity Analysis Splunk Identifier Activity Analysis Enrichment
Splunk Message Identifier Activity Analysis Splunk Identifier Activity Analysis Phishing
Splunk Notable Related Tickets Search Splunk   Enrichment
Start Investigation      
Threat Intel Investigate      
TruSTAR Enrich Indicators TruSTAR    
URL Outbound Traffic Filtering Dispatch     Phishing, Endpoint
UrlScan IO Dynamic Analysis urlscan.io Dynamic Analysis Enrichment, Phishing, Endpoint
VirusTotal V3 Dynamic Analysis VirusTotal v3 Dynamic Analysis Enrichment, Phishing, Endpoint
VirusTotal v3 Identifier Reputation Analysis VirusTotal v3 Identifier Reputation Analysis Enrichment
Windows Defender ATP Identifier Activity Analysis Windows Defender ATP Identifier Activity Analysis Enrichment, Endpoint
ZScaler Outbound Traffic Filtering Zscaler   Phishing, Endpoint