Playbooks

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Playbooks are automated workflows built on Azure Logic Apps that respond to alerts and incidents. They can perform actions such as enriching alerts with threat intelligence, isolating compromised devices, blocking malicious IPs, notifying stakeholders, or creating tickets in external systems. Learn more

865 playbooks across all Microsoft Sentinel solutions.

Jump to: # | A | B | C | D | E | F | G | H | I | J | L | M | N | O | P | Q | R | S | T | U | V | W | Z

Source: 📦 Solution | 📄 Standalone | 🔗 GitHub Only

Name	Source
ProofpointTAP-CheckAccountInVAP	📦 ProofPointTap
2S-MISP-Forwarder	📄 Standalone Content
2S-MISP-Orchestrator	📄 Standalone Content
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
	🔗 GitHub Only
[Deprecated] Intel 471 Malware Intelligence to Graph Security	📦 Intel471

A

Name	Source
AbuseIPDB Blacklist Ip To Threat Intelligence	📦 AbuseIPDB
AbuseIPDB Enrich Incident By IP Info	📦 AbuseIPDB
AbuseIPDB Report IPs To AbuseIPDB After User Response In MSTeams	📦 AbuseIPDB
AD4IoT-AutoAlertStatusSync	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-AutoCloseIncidents	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-AutoCloseIncidents	🔗 GitHub Only
AD4IoT-AutoTriageIncident	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-CVEAutoWorkflow	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-MailByProductionLine	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-MailByProductionLine	🔗 GitHub Only
AD4IoT-NewAssetServiceNowTicket	📦 IoTOTThreatMonitoringwithDefenderforIoT
AD4IoT-NewAssetServiceNowTicket	🔗 GitHub Only
AD4IoT-SendEmailtoIoTOwner	📦 IoTOTThreatMonitoringwithDefenderforIoT
Add Asset to Protection - Zero Networks Segment	📦 ZeroNetworks
Add Block Outbound Rule - Zero Networks Acccess Orchestrator	📦 ZeroNetworks
Add Dynatrace Application Security Attack Source IP Address to Threat Intelligence	📦 Dynatrace
Add Host To Watchlist - Alert Trigger	📦 Watchlists Utilities
Add Host To Watchlist - Incident Trigger	📦 Watchlists Utilities
Add IP Entity To Named Location	📄 Standalone Content
Add IP Entity To Network Security Group	📄 Standalone Content
Add IP To Watchlist - Alert Trigger	📦 Watchlists Utilities
Add IP To Watchlist - Incident Trigger	📦 Watchlists Utilities
Add URL - Netskope	📄 Standalone Content
Add URL To Watchlist - Alert Trigger	📦 Watchlists Utilities
Add URL To Watchlist - Incident Trigger	📦 Watchlists Utilities
Add User To Watchlist - Alert Trigger	📦 Watchlists Utilities
Add User To Watchlist - Incident Trigger	📦 Watchlists Utilities
Advanced ServiceNow Teams Integration Playbook	📦 Teams
ADX-health-playbook	🔗 GitHub Only
Affected-Key-Credentials-Scanner	📄 Standalone Content
aggregate-ServiceNow-tickets	📄 Standalone Content
AI-Commandline-Analysis	🔗 GitHub Only
Alert trigger empty playbook	📄 Standalone Content
Armis Update Alert Status	📦 Armis
AS-Add-Azure-AD-User-Job-Title-to-Incident	📄 Standalone Content
AS-Add-Domains-to-Zscaler-URL-Category	📄 Standalone Content
AS-Add-Machine-Logon-Users-to-Incident	📄 Standalone Content
AS-Azure-AD-Disable-User	📄 Standalone Content
AS-Azure-AD-Enable-User	📄 Standalone Content
AS-Azure-AD-Group	📄 Standalone Content
AS-Blob-Storage-Add-Domains-to-Zscaler-URL-Category	📄 Standalone Content
AS-Block-GitHub-User	📄 Standalone Content
AS-Block-Hash-in-Defender	📄 Standalone Content
AS-Checkmarx-Audit-Ingestion	📄 Standalone Content
AS-Checkmarx-SAST-Ingestion	📄 Standalone Content
AS-Clear-Okta-Network-Zone-List	📄 Standalone Content
AS-Compromised-Machine-Tagging	📄 Standalone Content
AS-Create-Opsgenie-Incident	📄 Standalone Content
AS-CrowdstrikeAlerts-Integration	📄 Standalone Content
AS-Datadog-Events-Integration	📄 Standalone Content
AS-Delete-App-Registration	📄 Standalone Content
AS-Disable-Microsoft-Entra-ID-User-From-Entity	📄 Standalone Content
AS-Edgescan-Integration-Assets	📄 Standalone Content
AS-Edgescan-Integration-Hosts	📄 Standalone Content
AS-Edgescan-Integration-Vulnerabilities	📄 Standalone Content
AS-Enable-Microsoft-Entra-ID-User-From-Entity	📄 Standalone Content
AS-Get-HostExposureLevel-From-MDE	📄 Standalone Content
AS-IAM-Entra-ID-Master-Playbook	📄 Standalone Content
AS-IAM-Master-Playbook	📄 Standalone Content
AS-Import-Azure-AD-Group-Users-to-MS-Watchlist	📄 Standalone Content
AS-Incident-IP-Matched-on-Watchlist	📄 Standalone Content
AS-Incident-Response-Approval-Email	📄 Standalone Content
AS-Incident-Spiderfoot-Scan	📄 Standalone Content
AS-IP-Blocklist	📄 Standalone Content
AS-IP-Blocklist-HTTP	📄 Standalone Content
AS-IP-Blocklist-HTTP	📄 Standalone Content
AS-IP-Blocklist-Remove-IPs	📄 Standalone Content
AS-Make-GitHub-Repository-Private	📄 Standalone Content
AS-MDE-Isolate-Machine	📄 Standalone Content
AS-MDE-Unisolate-Machine	📄 Standalone Content
AS-Microsoft-DCR-Log-Ingestion	📄 Standalone Content
AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTP	📄 Standalone Content
AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTP	📄 Standalone Content
AS-MuleSoft-Integration	📄 Standalone Content
AS-Okta-NetworkZoneUpdate	📄 Standalone Content
AS-Okta-NetworkZoneUpdate-HTTP	📄 Standalone Content
AS-Okta-Terminate-User-Sessions-HTTP	📄 Standalone Content
AS-PagerDuty-Integration	📄 Standalone Content
AS-Recurring-Host-Entity	📄 Standalone Content
AS-Remove-Domains-from-Zscaler-URL-Category	📄 Standalone Content
AS-Revoke-Entra-ID-User-Session-From-Entity	📄 Standalone Content
AS-Revoke-Entra-ID-User-Session-From-Incident	📄 Standalone Content
AS-Sign-Out-Google-User	📄 Standalone Content
AS-Slack-Integration	📄 Standalone Content
AS-Terminate-Okta-User-Sessions-From-Entity	📄 Standalone Content
AS-Update-Okta-Network-Zone-From-Entity	📄 Standalone Content
Atlassian Beacon Integration	📦 Integration for Atlassian Beacon
AusCtisExportTaggedIndicators	📦 Australian Cyber Security Centre
AutoConnect-ASCSubscriptions	📄 Standalone Content
AWS - Disable S3 Bucket Public Access	📦 AWS_IAM
AWS Athena - Execute Query and Get Results	📦 AWSAthena
AWS IAM - Add tag to user	📦 AWS_IAM
AWS IAM - Delete access keys	📦 AWS_IAM
AWS IAM - Enrich incident with user info	📦 AWS_IAM
AWS Systems Manager - Get Missing Patches for EC2 Instances	📦 AWS Systems Manager
AWS Systems Manager - Get Missing Patches for EC2 Instances for given Hostname	📦 AWS Systems Manager
AWS Systems Manager - Get Missing Patches for EC2 Instances for given Private IP	📦 AWS Systems Manager
AWS Systems Manager - Run Automation Runbook	📦 AWS Systems Manager
AWS Systems Manager - Stop Managed EC2 Instances	📦 AWS Systems Manager
AWS Systems Manager - Stop Managed EC2 Instances Host Entity Trigger	📦 AWS Systems Manager
AWS Systems Manager - Stop Managed EC2 Instances IP Entity Trigger	📦 AWS Systems Manager
Azure Firewall - Add IP Address to Threat Intel Allow list	📦 Azure Firewall

B

Name	Source
Base playbook - F5 BIG-IP	📄 Standalone Content
Block AAD user or admin - Alert	📄 Standalone Content
Block AAD user or admin - incident	📄 Standalone Content
Block Device Client - Cisco Meraki	📦 CiscoMeraki
Block Entra ID user - Incident	📦 Microsoft Entra ID
Block IP & URL on fortiweb cloud	📦 Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
Block IP & URL on ThreatX-WAF cloud	📦 ThreatXCloud
Block IP - Azure Firewall IP groups	📦 Azure Firewall
Block IP - Azure Firewall IP groups - Entity trigger	📦 Azure Firewall
Block IP - Cisco ASA	📦 CiscoASA
Block IP - Cisco ASA	📄 Standalone Content
Block IP - Cisco Firepower	📦 Cisco Firepower EStreamer
Block IP - F5 BIG-IP	📄 Standalone Content
Block IP - Palo Alto PAN-OS	📄 Standalone Content
Block IP - Palo Alto PAN-OS - Entity trigger	📦 PaloAlto-PAN-OS
Block IP - Take Action from Teams - Cisco Firepower	📦 Cisco Firepower EStreamer
Block IP - Zscaler	📄 Standalone Content
Block IP Address - Cisco Meraki	📦 CiscoMeraki
Block IP addresses - ForcepointNGFW	📄 Standalone Content
Block IP addresses by Username - ForcepointNGFW	📄 Standalone Content
Block IP in Exchange On-Prem	📄 Standalone Content
Block Microsoft Entra ID user - Alert	📦 Microsoft Entra ID
Block Microsoft Entra ID user - Entity trigger	📦 Microsoft Entra ID
Block or Unblock IP addresses - ForcepointNGFW	📄 Standalone Content
Block Risky/Compromised User From Entrust	📦 Entrust identity as Service
Block URL - Cisco Firepower	📦 Cisco Firepower EStreamer
Block URL - Cisco Meraki	📦 CiscoMeraki
Block URL - F5 BIG-IP	📄 Standalone Content
Block URL - Palo Alto PAN-OS	📄 Standalone Content
Block URL - Palo Alto Wildfire and PAN-OS	📄 Standalone Content
Block URL From Teams - Palo Alto Wildfire and PAN-OS	📄 Standalone Content
Block URLs - ForcepointNGFW	📄 Standalone Content
Block_IPs_on_MDATP_Using_GraphSecurity	📄 Standalone Content
BlockADOnPremUser	📄 Standalone Content
BlockIP-Azure Firewall New Rule	📦 Azure Firewall
BlockIP-Azure Firewall New Rule - Entity trigger	📦 Azure Firewall

C

Name	Source
C19ImportToSentinel	🔗 GitHub Only
C19IndicatorProcessor	🔗 GitHub Only
CDC_Dismiss_Upstream_Events	📄 Standalone Content
Censys Ad-Hoc IOC Lookup	📦 Censys
Censys Add Incident Comment	📦 Censys
Censys Alert Enrichment	📦 Censys
Censys Alert Rescan	📦 Censys
Censys Entity Enrichment - Certificate	📦 Censys
Censys Entity Enrichment - Host	📦 Censys
Censys Entity Enrichment - Web Property	📦 Censys
Censys Host History	📦 Censys
Censys Incident Enrichment	📦 Censys
Censys Related Infrastructure	📦 Censys
Censys Rescan	📦 Censys
Change Incident Severity	📄 Standalone Content
Change-Incident-Severity	📄 Standalone Content
Check Point EM - Importer (Alerts → Sentinel Incidents)	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Credential Leak Validation and Response	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Exporter (Sentinel → Argos)	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Fetch Attachments On-Demand	📦 Check Point Cyberint Alerts
Check Point Exposure Management - IOC Enrichment and Triage	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Manual Status Update (Sentinel → Argos)	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Phishing Takedown	📦 Check Point Cyberint Alerts
Check Point Exposure Management - Vulnerability Exploitation Monitoring	📦 Check Point Cyberint Alerts
CheckPhish - Get URL reputation	📦 CheckPhish by Bolster
checkpoint-add-host-to-group	📦 Check Point
Cisco ASA - Create or Inbound Access Rule On Interface	📦 CiscoASA
Cisco ASA - Create or Inbound Access Rule On Interface	📄 Standalone Content
Cisco ASA - Create or remove access rules on an interface for IP Addresses	📦 CiscoASA
Cisco ASA - Create or remove access rules on an interface for IP Addresses	📄 Standalone Content
CiscoISE-False Positives Clear Policies	📦 Cisco ISE
CiscoISE-SuspendGuestUser	📦 Cisco ISE
CiscoISE-TakeEndpointActionFromTeams	📦 Cisco ISE
CiscoSDWANIntrusionLogicAPP	📦 Cisco SD-WAN
CiscoSDWANLogicAPP	📦 Cisco SD-WAN
CiscoSDWANReport	📦 Cisco SD-WAN
CiscoUmbrella-AddIpToDestinationList	📦 CiscoUmbrella
CiscoUmbrella-AssignPolicyToIdentity	📦 CiscoUmbrella
CiscoUmbrella-BlockDomain	📦 CiscoUmbrella
CiscoUmbrella-GetDomainInfo	📦 CiscoUmbrella
Close Cohesity Helios Incident	📦 CohesitySecurity
Close-Incident-MCAS	📄 Standalone Content
Close-SentinelIncident-from-ServiceNow	📄 Standalone Content
Cohesity Create or Update ServiceNow incident	📦 CohesitySecurity
Cohesity Incident Email	📦 CohesitySecurity
Comment-OriginAlertURL	🔗 GitHub Only
Comment_RemediationSteps	🔗 GitHub Only
Comment_RemediationSteps	🔗 GitHub Only
Commvault Disable Data Aging Logic App Playbook	📦 Commvault Security IQ
Commvault Disable SAML Provider Logic App Playbook	📦 Commvault Security IQ
Commvault Disable User Logic App Playbook	📦 Commvault Security IQ
Confirm Microsoft Entra ID Risky User - Alert Triggered	📦 Microsoft Entra ID Protection
Confirm Microsoft Entra ID Risky User - Incident Triggered	📦 Microsoft Entra ID Protection
ConnectorHealthApp	🔗 GitHub Only
Create an Attack Simulator training simulation for users who did not report a phishing attempt ⚠️	📦 Microsoft Defender XDR
Create And Update Jira Issue	📦 AtlassianJiraAudit
Create And Update ServiceNow Record	📦 Servicenow
Create Incident From Microsoft Forms Response	📦 SentinelSOARessentials
Create Incident From Shared Mailbox	📦 SentinelSOARessentials
Create Indicator - Minemeld	📦 Minemeld
Create Indicator - OpenCTI	📦 OpenCTI
Create Jira Issue	📦 AzureSecurityBenchmark
Create Jira Issue	📦 CybersecurityMaturityModelCertification(CMMC)2.0
Create Jira Issue	📦 MaturityModelForEventLogManagementM2131
Create Jira Issue	📦 NISTSP80053
Create Jira Issue	📦 ZeroTrust(TIC3.0)
Create Jira Issue alert-trigger	📦 AtlassianJiraAudit
Create Jira Issue incident-trigger	📦 AtlassianJiraAudit
Create Observable - EclecticIQ	📦 EclecticIQ
Create ServiceNow record - Alert trigger	📦 Servicenow
Create ServiceNow record - Incident trigger	📦 Servicenow
Create Zendesk ticket	📄 Standalone Content
Create-AzureDevOpsTask	📦 AzureSecurityBenchmark
Create-AzureDevOpsTask	📦 CybersecurityMaturityModelCertification(CMMC)2.0
Create-AzureDevOpsTask	📦 MaturityModelForEventLogManagementM2131
Create-AzureDevOpsTask	📦 NISTSP80053
Create-AzureDevOpsTask	📦 ZeroTrust(TIC3.0)
Create-AzureDevOpsTask-alert-trigger	📄 Standalone Content
Create-AzureDevOpsTask-incident-trigger	📄 Standalone Content
Create-IBMResilientIncident	📄 Standalone Content
Create-Incident-Logic-App	📄 Standalone Content
Create-incident-on-missing-Data-Source	📄 Standalone Content
credential-warning	📦 Flare
CrowdSecurity-Suspicious-Login-Detection	🔗 GitHub Only
Crowdstrike API authentication	📦 CrowdStrike Falcon Endpoint Protection
Crowdstrike-ResponsefromTeams	📄 Standalone Content
Cybersixgill-Alert-Status-Update	📦 Cybersixgill-Actionable-Alerts
Cyble-IOC_Enrichment-Playbook	📦 Cyble Vision
Cyble-Threat-Intel-Playbook	📄 Standalone Content
Cyble-ThreatIntelligence-Ingest-Playbook	📦 Cyble Vision
CybleVisionAlert_Status_Update	📦 Cyble Vision
Cyjax Ad Hoc Enrichment	📦 Cyjax
Cyjax Add Comment To Incident	📦 Cyjax
Cyjax Data Breaches	📦 Cyjax
Cyjax Domain Monitor	📦 Cyjax
Cyjax Incident Enrichment	📦 Cyjax
Cyren to SentinelOne IOC Automation	📦 Cyren-SentinelOne-ThreatIntelligence

D

Name	Source
DataminrPulseAlertEnrichment	📦 Dataminr Pulse
Dataverse: Add SharePoint sites to watchlist	📦 Microsoft Business Applications
Dataverse: Add user to blocklist (alert trigger)	📦 Microsoft Business Applications
Dataverse: Add user to blocklist (incident trigger)	📦 Microsoft Business Applications
Dataverse: Add user to blocklist using Outlook approval workflow	📦 Microsoft Business Applications
Dataverse: Add user to blocklist using Teams approval workflow	📦 Microsoft Business Applications
Dataverse: Remove user from blocklist	📦 Microsoft Business Applications
Dataverse: Send notification to manager	📦 Microsoft Business Applications
Delete Cohesity incident blobs	📦 CohesitySecurity
Delete-Cybersixgill-Alert	📦 Cybersixgill-Actionable-Alerts
Digital Shadows Playbook to Update Incident Status	📦 Digital Shadows
Dismiss Microsoft Entra ID Risky User - Alert Triggered	📦 Microsoft Entra ID Protection
Dismiss Microsoft Entra ID Risky User – Incident Triggered	📦 Microsoft Entra ID Protection
DNSDB_Co_Located_Hosts ⚠️	📦 Farsight DNSDB
DNSDB_Co_Located_IP_Address ⚠️	📦 Farsight DNSDB
DNSDB_Historical_Address ⚠️	📦 Farsight DNSDB
DNSDB_Historical_Hosts ⚠️	📦 Farsight DNSDB
Domain ASIM Enrichment - DomainTools Iris Enrich	📦 DomainTools
Domain Breach Data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
Domain Enrichment - DomainTools Iris Enrich	📦 DomainTools
Domain Enrichment - DomainTools Iris Investigate	📦 DomainTools
DomainTools DNSDB Co-Located Hosts	📦 DomainTools
DomainTools DNSDB Co-Located IP Addresses	📦 DomainTools
DomainTools DNSDB Historical Hosts	📦 DomainTools
DomainTools DNSDB Historical IP Addresses	📦 DomainTools
Druva Quarantine Playbook for Enterprise Workload	📦 DruvaDataSecurityCloud
Druva Quarantine Playbook for inSync Workloads	📦 DruvaDataSecurityCloud
Druva Quarantine Playbook for Shared Drive	📦 DruvaDataSecurityCloud
Druva Quarantine Playbook for Sharepoint	📦 DruvaDataSecurityCloud
Druva Quarantine Using Resource id	📦 DruvaDataSecurityCloud
Dynamic-Summaries-API-Upsert	📄 Standalone Content

E

Name	Source
ElasticSearch-EnrichIncident	📦 Elastic Search
Email Address Breach Data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
Endpoint enrichment - Carbon Black	📦 VMware Carbon Black Cloud
Endpoint enrichment - Crowdstrike	📦 CrowdStrike Falcon Endpoint Protection
Endpoint take action from Teams - Carbon Black	📦 VMware Carbon Black Cloud
Enrich Dynatrace Application Security Attack Incident	📦 Dynatrace
Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights	📦 Dynatrace
Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts	📦 Dynatrace
Enrich file hash entities - Intezer Analyze	📄 Standalone Content
Enrich file hashes entities - MalwareBazaar	📄 Standalone Content
Enrich Incident - EclecticIQ	📦 EclecticIQ
Enrich Incident - Zero Networks Acccess Orchestrator	📦 ZeroNetworks
Enrich Incidents - ShadowByte Aria	📦 ShadowByte Aria
Enrich MD5 and SHA1 entities - CIRCL hashlookup	📄 Standalone Content
Enrich multiple entities - AlienVault-OTX	📄 Standalone Content
Enrich-Sentinel-IPQualityScore-Email-Address-Reputation	📦 IPQualityScore
Enrich-Sentinel-IPQualityScore-IP-Address-Reputation	📦 IPQualityScore
Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation	📦 IPQualityScore
Enrich-Sentinel-IPQualityScore-URL-Reputation	📦 IPQualityScore
Enrich-SentinelIncident-MDATPTVM	📄 Standalone Content
Enrich_Sentinel_IPQualityScore_Domain_Reputation	📦 IPQualityScore
EnrichIP-GeoInfo-Neustar	📦 Neustar IP GeoPoint
Enrichment IP - F5 BIG-IP	📄 Standalone Content
Enrichment IP - Forcepoint	📄 Standalone Content
Enrichment URL - Forcepoint	📄 Standalone Content
Entity (IP, URL, FileHash) Enrichment - Minemeld	📦 Minemeld
Entity (IP, URL, FileHash, Account, Host) Enrichment - OpenCTI	📦 OpenCTI
Export all Incident Entities to TISC	📦 ServiceNow TISC
Export Domain Entity to TISC	📦 ServiceNow TISC
Export Hash Entity to TISC	📦 ServiceNow TISC
Export IP Entity to TISC	📦 ServiceNow TISC
Export URL Entity to TISC	📦 ServiceNow TISC
Export-Incidents-With-Comments-Report	📄 Standalone Content
Export-Report-CSV	🔗 GitHub Only

F

Name	Source
Fetch IP Details From Entrust	📦 Entrust identity as Service
Fetch IP Details From Entrust - Entity	📦 Entrust identity as Service
Fetch Security Posture from Prisma Cloud	📦 PaloAltoPrismaCloud
Fetch Threat Intel from fortiwebcloud	📦 Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel
Fetch Threat Intel from ThreatX	📦 ThreatXCloud
Fetch User Details From Entrust	📦 Entrust identity as Service
Fetch User Details From Entrust - Entity	📦 Entrust identity as Service
FileHash Enrichment - Palo Alto Wildfire	📄 Standalone Content
FileHash Enrichment - Virus Total Report - Alert Triggered	📦 VirusTotal
FileHash Enrichment - Virus Total Report - Incident Triggered	📦 VirusTotal
Forescout-DNS_Sniff_Event_Playbook	📦 ForescoutHostPropertyMonitor
Fortinet-FortiGate-IPEnrichment	📦 Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Fortinet-FortiGate-ResponseOnBlockIP	📦 Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Fortinet-FortiGate-ResponseOnBlockURL	📦 Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel
Fortinet_IncidentEnrichment	🔗 GitHub Only
Fortinet_ResponseOnIP	🔗 GitHub Only
Fortinet_ResponseOnURL	🔗 GitHub Only
Four Playbook templates - F5BigIP	📄 Standalone Content

G

Name	Source
GCP-DisableServiceAccountFromTeams	📦 GoogleCloudPlatformIAM
GCP-DisableServiceAccountKey	📦 GoogleCloudPlatformIAM
GCP-EnrichServiseAccountInfo	📦 GoogleCloudPlatformIAM
Generate-Incident-Logic-App	📄 Standalone Content
Get Account Breaches - HaveIBeenPwned	📄 Standalone Content
Get Sentinel Alerts Evidence - incident trigger	📄 Standalone Content
Get Site Breaches - HaveIBeenPwned	📄 Standalone Content
Get System Info - Palo Alto PAN-OS XML API	📦 PaloAlto-PAN-OS
Get System Info - Palo Alto PAN-OS XML API	📄 Standalone Content
Get Threat PCAP - Palo Alto PAN-OS XML API	📦 PaloAlto-PAN-OS
Get Threat PCAP - Palo Alto PAN-OS XML API	📄 Standalone Content
Get-AD4IoTDeviceCVEs - Alert	📄 Standalone Content
Get-AD4IoTDeviceCVEs - Incident ⚠️	📦 IoTOTThreatMonitoringwithDefenderforIoT
Get-AD4IoTDeviceCVEs - Incident	📄 Standalone Content
Get-AlertEntitiesEnrichment	🔗 GitHub Only
Get-AlienVault_OTX_V2	🔗 GitHub Only
Get-ASCRecommendations	📄 Standalone Content
Get-ASCRecommendations	📄 Standalone Content
Get-GeoFromIpAndTagIncident	📄 Standalone Content
Get-GeoFromIpAndTagIncident	📄 Standalone Content
Get-MDEInvestigationPackage	📄 Standalone Content
Get-MDEInvestigationPackage	📄 Standalone Content
Get-MDEInvestigationPackage-Entity-Trigger	📄 Standalone Content
Get-MDEStatistics	📄 Standalone Content
Get-MDEStatistics	📄 Standalone Content
Get-MerakiData-configurationChanges	📄 Standalone Content
Get-MerakiData-OrgSecurityEvents	📄 Standalone Content
Get-NamedLocations	🔗 GitHub Only
Get-O365Data	📄 Standalone Content
Get-SecureScore-Information	🔗 GitHub Only
Get-SentinelAlertsEvidence	📄 Standalone Content
Get-SOC-Actions	📦 SOC-Process-Framework
Get-SOCActions	📄 Standalone Content
Get-SOCTasks	📄 Standalone Content
Get-TenableVlun	📄 Standalone Content
GIBIndicatorProcessor ⚠️	📦 Group-IB
GIBTIA_APT_ThreatActor ⚠️	📦 Group-IB
GIBTIA_APT_Threats ⚠️	📦 Group-IB
GIBTIA_Attacks_ddos ⚠️	📦 Group-IB
GIBTIA_Attacks_deface ⚠️	📦 Group-IB
GIBTIA_Attacks_phishing ⚠️	📦 Group-IB
GIBTIA_Attacks_phishing_kit ⚠️	📦 Group-IB
GIBTIA_BP_phishing ⚠️	📦 Group-IB
GIBTIA_BP_phishing_kit ⚠️	📦 Group-IB
GIBTIA_Compromised_account ⚠️	📦 Group-IB
GIBTIA_Compromised_card ⚠️	📦 Group-IB
GIBTIA_Compromised_imei ⚠️	📦 Group-IB
GIBTIA_Compromised_mule ⚠️	📦 Group-IB
GIBTIA_HI_Threat ⚠️	📦 Group-IB
GIBTIA_HI_Threat_Actor ⚠️	📦 Group-IB
GIBTIA_Malware_cnc ⚠️	📦 Group-IB
GIBTIA_Malware_Targeted_Malware ⚠️	📦 Group-IB
GIBTIA_OSI_GitLeak ⚠️	📦 Group-IB
GIBTIA_OSI_PublicLeak ⚠️	📦 Group-IB
GIBTIA_OSI_Vulnerability ⚠️	📦 Group-IB
GIBTIA_Suspicious_ip_open_proxy ⚠️	📦 Group-IB
GIBTIA_Suspicious_ip_socks_proxy ⚠️	📦 Group-IB
GIBTIA_Suspicious_ip_tor_node ⚠️	📦 Group-IB
Google Cloud Platform BigQuery - Create Wtchlist with BigQuery Table Data	📦 Google Cloud Platform BigQuery
Google Cloud Platform BigQuery - Enrich Incident with BigQuery Table Data	📦 Google Cloud Platform BigQuery
Google Cloud Platform BigQuery - Query BigQuery Table	📦 Google Cloud Platform BigQuery
Google Directory - Enrich Incident With User Info ⚠️	📦 GoogleDirectory
Google Directory - Sign Out User ⚠️	📦 GoogleDirectory
Google Directory - Suspend User ⚠️	📦 GoogleDirectory
Google Threat Intelligence - Domain Enrichment	📦 Google Threat Intelligence
Google Threat Intelligence - FileHash Enrichment	📦 Google Threat Intelligence
Google Threat Intelligence - IOC Enrichment	📦 Google Threat Intelligence
Google Threat Intelligence - IOC Enrichment	📦 Google Threat Intelligence
Google Threat Intelligence - IoC Stream	📦 Google Threat Intelligence
Google Threat Intelligence - IP Enrichment	📦 Google Threat Intelligence
Google Threat Intelligence - Threat List	📦 Google Threat Intelligence
Google Threat Intelligence - URL Enrichment	📦 Google Threat Intelligence
GreyNoise-IP-CommunityEnrichment	📄 Standalone Content
GreyNoise-IP-Enrichment	📄 Standalone Content
Guardicore-Import-Assets	📄 Standalone Content
Guardicore-Import-Incidents	📄 Standalone Content
Guardicore-ThreatIntel	📄 Standalone Content

H

Name	Source
HaveIBeenPwnedEmail	📄 Standalone Content
HTTP Trigger Entity Analyzer	📦 SentinelSOARessentials
HYASInsight Enrich Incident By C2 Attribution	📦 HYAS
HYASInsight Enrich Incident By C2 Attribution	📦 HYAS
HYASInsight Enrich Incident By C2 Attribution Information	📦 HYAS
HYASInsight Enrich Incident By C2 Attribution Information	📦 HYAS
HYASInsight Enrich Incident By C2Attribution Info	📦 HYAS
HYASInsight Enrich Incident By Dynamic DNS	📦 HYAS
HYASInsight Enrich Incident By Dynamic DNS Information	📦 HYAS
HYASInsight Enrich Incident By DynamicDNS Info	📦 HYAS
HYASInsight Enrich Incident By Geo Location Information	📦 HYAS
HYASInsight Enrich Incident By Malware Information	📦 HYAS
HYASInsight Enrich Incident By Malware Sample Info	📦 HYAS
HYASInsight Enrich Incident By OS Indicator Info	📦 HYAS
HYASInsight Enrich Incident By OS Indicator Information	📦 HYAS
HYASInsight Enrich Incident By OS Indicator Information	📦 HYAS
HYASInsight Enrich Incident By Passive DNS Information	📦 HYAS
HYASInsight Enrich Incident By Passive Hash Info	📦 HYAS
HYASInsight Enrich Incident By Passive Hash Information	📦 HYAS
HYASInsight Enrich Incident By Sample Data Information	📦 HYAS
HYASInsight Enrich Incident By SinkHole Information	📦 HYAS
HYASInsight Enrich Incident By SSL Certificate Info	📦 HYAS
HYASInsight Enrich Incident By SSL Certificate Information	📦 HYAS
HYASInsight Enrich Incident By WHOIS	📦 HYAS
HYASInsight Enrich Incident By WHOIS Current Info	📦 HYAS
HYASInsight Enrich Incident By WHOIS Info	📦 HYAS
HYASInsight Enrich Incident By WHOIS Info	📦 HYAS

I

Name	Source
IBMResilient-Incidents	📄 Standalone Content
Identity Protection response from Teams	📦 Microsoft Entra ID Protection
Identity Protection response from Teams	📄 Standalone Content
IdentityProtection-EmailResponse	📄 Standalone Content
Illumio Containment Switch Playbook	📦 IllumioSaaS
Illumio Get Ven Details Playbook	📦 IllumioSaaS
Illumio Workload Quarantine Playbook	📦 IllumioSaaS
Illusive-SentinelIncident-Enrichment ⚠️	📦 Illusive Active Defense
Illusive-SentinelIncident-Response ⚠️	📦 Illusive Active Defense
Incident Assignment Shifts	📦 SentinelSOARessentials
Incident tasks - Microsoft Defender XDR BEC Playbook for SecOps	📦 SentinelSOARessentials
Incident tasks - Microsoft Defender XDR Phishing Playbook for SecOps	📦 SentinelSOARessentials
Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps	📦 SentinelSOARessentials
Incident trigger empty playbook	📄 Standalone Content
Incident Trigger Entity Analyzer	📦 SentinelSOARessentials
IncidentUpdate-GetSentinelAlertsEvidence	📄 Standalone Content
Infoblox Import AISCOMM Weekly	📦 Infoblox Cloud Data Connector
Infoblox Import Emails Weekly	📦 Infoblox Cloud Data Connector
Infoblox Import Hashes Weekly	📦 Infoblox Cloud Data Connector
Infoblox Import Hosts Daily Lookalike Domains	📦 Infoblox Cloud Data Connector
Infoblox Import Hosts Daily MalwareC2DGA	📦 Infoblox Cloud Data Connector
Infoblox Import Hosts Daily Phishing	📦 Infoblox Cloud Data Connector
Infoblox Import Hosts Hourly	📦 Infoblox Cloud Data Connector
Infoblox Import IPs Hourly	📦 Infoblox Cloud Data Connector
Infoblox Import URLs Hourly	📦 Infoblox Cloud Data Connector
Infoblox Incident Enrichment Domains	📦 Infoblox Cloud Data Connector
Infoblox Incident Send Email	📦 Infoblox Cloud Data Connector
Infoblox SOC Get Insight Details	📦 Infoblox SOC Insights
Infoblox SOC Get Open Insights API	📦 Infoblox SOC Insights
Infoblox SOC Import Indicators TI	📦 Infoblox SOC Insights
Infoblox-Block-Allow-IP-Domain	📦 Infoblox
Infoblox-Block-Allow-IP-Domain-Incident-Based	📦 Infoblox
Infoblox-Config-Insight-Details	📦 Infoblox
Infoblox-Config-Insights	📦 Infoblox
Infoblox-Data-Connector-Trigger-Sync	📦 Infoblox
Infoblox-DHCP-Lookup	📦 Infoblox
Infoblox-Get-Host-Name	📦 Infoblox
Infoblox-Get-IP-Space-Data	📦 Infoblox
Infoblox-Get-Service-Name	📦 Infoblox
Infoblox-IPAM-Lookup	📦 Infoblox
Infoblox-SOC-Get-Insight-Details	📦 Infoblox
Infoblox-SOC-Get-Open-Insights-API	📦 Infoblox
Infoblox-SOC-Import-Indicators-TI	📦 Infoblox
Infoblox-TIDE-Lookup	📦 Infoblox
Infoblox-TIDE-Lookup-Comment-Enrichment	📦 Infoblox
Infoblox-TIDE-Lookup-Via-Incident	📦 Infoblox
Infoblox-TimeRangeBased-DHCP-Lookup	📦 Infoblox
InfrequentCountryTriage	🔗 GitHub Only
Ingest Microsoft Defender XDR insights into Dynatrace	📦 Dynatrace
Ingest Microsoft Sentinel Security Alerts into Dynatrace	📦 Dynatrace
Ingest-Prisma	📄 Standalone Content
Ingestion Cost Alert Playbook	📄 Standalone Content
Intel 471 Malware Intelligence to Sentinel	📦 Intel471
IP Address Breach Data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
IP Address Enrichment - Cisco Meraki	📦 CiscoMeraki
IP Enrichment - DomainTools Parsed Whois	📦 DomainTools
IP Enrichment - Virus Total Report - Incident Triggered	📦 VirusTotal
IP Enrichment - Virus Total Report - Alert Triggered	📦 VirusTotal
IP Enrichment - Virus Total Report - Entity Trigger	📦 VirusTotal
IronNet_UpdateIronDefenseAlerts ⚠️	📦 IronNet IronDefense
IronNet_UpdateSentinelIncidents ⚠️	📦 IronNet IronDefense
IronNet_Validate_IronNet_API ⚠️	📦 IronNet IronDefense
Isolate endpoint - Carbon Black	📦 VMware Carbon Black Cloud
Isolate endpoint - Crowdstrike	📦 CrowdStrike Falcon Endpoint Protection
Isolate endpoint - MDE - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Isolate MDE Machine - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Isolate MDE Machine using entity trigger	📦 MicrosoftDefenderForEndpoint
Isolate-AzureStorageAccount	📄 Standalone Content
Isolate-AzureVMtoNSG	📄 Standalone Content
Isolate-AzVM	📄 Standalone Content

J

Name	Source
Jamf Protect - Remote lock computer with Jamf Pro	📦 Jamf Protect
Jamf Protect - Set Alert to In Progress	📦 Jamf Protect
Jamf Protect - Set Alert to Resolved	📦 Jamf Protect
JoeSandbox File Analyis	📦 JoeSandbox
JoeSandbox URL Analyis	📦 JoeSandbox
Joshua Import To Sentinel	📦 Joshua-Cyberiskvision
Joshua Indicators Processor DOMAIN	📦 Joshua-Cyberiskvision
Joshua Indicators Processor EMAIL	📦 Joshua-Cyberiskvision
Joshua Indicators Processor FILE	📦 Joshua-Cyberiskvision
Joshua Indicators Processor IP	📦 Joshua-Cyberiskvision
Joshua Indicators Processor URL	📦 Joshua-Cyberiskvision
Joshua Intel Enrichment File	📦 Joshua-Cyberiskvision
Joshua Intel Enrichment IP	📦 Joshua-Cyberiskvision
Joshua Intel Enrichment URL	📦 Joshua-Cyberiskvision

L

Name	Source
Log4jIndicatorProcessor	📦 Apache Log4j Vulnerability Detection
Logic Apps Custom Connector and Playbook templates - HaveIBeenPwned	📄 Standalone Content
Logic Apps Custom Connector and Playbook templates - Palo Alto Wildfire and PAN-OS	📄 Standalone Content
Logic Apps Custom Connectors and Playbook templates - ForcepointNGFW	📄 Standalone Content

M

Name	Source
MDTI-Automated-Triage	📦 Microsoft Defender Threat Intelligence
MDTI-Data-Cookies	📦 Microsoft Defender Threat Intelligence
MDTI-Data-PassiveDns	📦 Microsoft Defender Threat Intelligence
MDTI-Data-ReverseDnS	📦 Microsoft Defender Threat Intelligence
MDTI-Data-Trackers	📦 Microsoft Defender Threat Intelligence
MDTI-Data-WebComponents	📦 Microsoft Defender Threat Intelligence
MDTI-Intel-Reputation	📦 Microsoft Defender Threat Intelligence
Mimecast-Data-Connector-Trigger-Sync	📦 Mimecast
Move-LogAnalytics-to-Storage	🔗 GitHub Only
MTI Threat Actor Lookup	📄 Standalone Content

N

Name	Source
NCSCNLShareSTIXBundle	📦 NCSC-NL NDN Cyber Threat Intelligence Sharing
Needs-Review-Incident-Email-Notification	📦 Armorblox
NetApp Ransomware Resilience Async Poll Playbook	📦 NetApp Ransomware Resilience
NetApp Ransomware Resilience Authentication Playbook	📦 NetApp Ransomware Resilience
NetApp Ransomware Resilience Enrich IP Playbook	📦 NetApp Ransomware Resilience
NetApp Ransomware Resilience Enrich StorageVM Playbook	📦 NetApp Ransomware Resilience
NetApp Ransomware Resilience Volume Offline Playbook	📦 NetApp Ransomware Resilience
NetApp Ransomware Resilience Volume Snapshot Playbook	📦 NetApp Ransomware Resilience
NetApp RRS Manual IP to Volume Offline	📦 NetApp Ransomware Resilience
NetskopeDataConnectorsTriggerSync	📦 Netskopev2
NetskopeWebTxErrorEmail	📦 Netskopev2
new-inc-notification	📄 Standalone Content
Notify Incident Owner in Microsoft Teams	📦 SentinelSOARessentials
Notify Sentinel Incident Creation and Update to Torq Webhook	📦 Torq
Notify When Incident Is Closed	📦 SentinelSOARessentials
Notify When Incident Is Reopened	📦 SentinelSOARessentials
Notify When Incident Severity Changed	📦 SentinelSOARessentials
Notify-ASCAlertAzureResource	📄 Standalone Content
Notify-GovernanceComplianceTeam	📦 AzureSecurityBenchmark
Notify-GovernanceComplianceTeam	📦 ZeroTrust(TIC3.0)
Notify-InsiderRiskTeam	📦 MicrosoftPurviewInsiderRiskManagement
Notify-LogManagementTeam	📦 MaturityModelForEventLogManagementM2131
Notify_GovernanceComplianceTeam	📦 CybersecurityMaturityModelCertification(CMMC)2.0
Notify_GovernanceComplianceTeam	📦 NISTSP80053

O

Name	Source
O365 - Block Malware file extensions	📦 Microsoft Defender for Office 365
O365 - Block Sender Entity Trigger	📦 Microsoft Defender for Office 365
O365 - Block Spam Domain	📦 Microsoft Defender for Office 365
O365 - Block Suspicious Sender	📦 Microsoft Defender for Office 365
O365 - Delete All Malicious Inbox Rule	📦 Microsoft Defender for Office 365
OktaEvents-to-Sentinel	📄 Standalone Content
Open-ServiceDeskPlusOnDemand-Ticket	📄 Standalone Content

P

Name	Source
PaloAlto-PAN-OS-BlockIP	📦 PaloAlto-PAN-OS
PaloAlto-PAN-OS-BlockURL	📦 PaloAlto-PAN-OS
PaloAlto-PAN-OS-BlockURL-EntityTrigger	📦 PaloAlto-PAN-OS
PaloAlto-PAN-OS-GetURLCategoryInfo	📦 PaloAlto-PAN-OS
PaloAlto-PAN-OS-GetURLCategoryInfo	📄 Standalone Content
PaloAltoXDR ⚠️	📦 Palo Alto - XDR (Cortex)
Password Breach Data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
PlaybookName	🔗 GitHub Only
PlaybookName	🔗 GitHub Only
PlaybookName	🔗 GitHub Only
Post Message Slack	📦 SentinelSOARessentials
Post Message Slack	📦 SentinelSOARessentials
Post Message Slack Via Webhook	📄 Standalone Content
Post Message Teams	📦 SentinelSOARessentials
Post Message Teams	📦 SentinelSOARessentials
Post-Message-Slack	📦 SentinelSOARessentials
Post-Message-Teams	📦 SentinelSOARessentials
Post-Tags-And-Comments-To-Your-IntSights-Account	📄 Standalone Content
Prompt Okta user	📦 Okta Single Sign-On
Prompt User - Alert	📦 Microsoft Entra ID
Prompt User - Incident	📦 Microsoft Entra ID
ProofpointTAP-AddForensicsInfoToIncident	📦 ProofPointTap
Pure Storage FlashBlade File System Snapshot	📦 Pure Storage
Pure Storage Protection Group Snapshot	📦 Pure Storage
Pure Storage User Deletion	📦 Pure Storage
Pure Storage Volume Snapshot	📦 Pure Storage
Put CanaryTokens webhook alerts to Custom Logs table	📄 Standalone Content
Put Defender for Endpoint Alert as Hunting ARM Template in GitHub Rep	📄 Standalone Content

Q

Name	Source
QualysVM-GetAssetDetails	📦 QualysVM
QualysVM-GetAssets-ByCVEID	📦 QualysVM
QualysVM-GetAssets-ByOpenPort	📦 QualysVM
QualysVM-LaunchVMScan-GenerateReport	📦 QualysVM
Query Azure Monitor with managed identity	📄 Standalone Content
Query Azure Resource Graph and enrich sentinel incident	📄 Standalone Content
Query Azure Resource Graph with HTTP input and output	📄 Standalone Content

R

Name	Source
Rapid7 Insight VM - Enrich incident with asset info	📦 Rapid7InsightVM
Rapid7 Insight VM - Enrich vulnerability info	📦 Rapid7InsightVM
Rapid7 Insight VM - Run scan	📦 Rapid7InsightVM
Read Stream- OpenCTI Indicators	📦 OpenCTI
RecordedFuture-ActorThreatHunt-IndicatorImport	📦 Recorded Future
RecordedFuture-Alert-Importer	📦 Recorded Future
RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor	📦 Recorded Future
RecordedFuture-Domain-IndicatorImport	📦 Recorded Future
RecordedFuture-Hash-IndicatorImport	📦 Recorded Future
RecordedFuture-HASH-Obs_in_Underground-TIProcessor	📦 Recorded Future
RecordedFuture-ImportToDefenderEndpoint (DEPRECATED)	📄 Standalone Content
RecordedFuture-ImportToSentinel	📦 Recorded Future
RecordedFuture-IOC_Enrichment	📦 Recorded Future
RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor	📦 Recorded Future
RecordedFuture-IP-IndicatorImport	📦 Recorded Future
RecordedFuture-MalwareThreatHunt-IndicatorImport	📦 Recorded Future
RecordedFuture-Playbook-Alert-Importer	📦 Recorded Future
RecordedFuture-Sandbox_Enrichment-Url	📦 Recorded Future
RecordedFuture-Sandbox_Outlook_Attachment	📦 Recorded Future
RecordedFuture-Sandbox_StorageAccount	📦 Recorded Future
RecordedFuture-ThreatIntelligenceImport	📦 Recorded Future
RecordedFuture-ThreatMap-Importer	📦 Recorded Future
RecordedFuture-ThreatMapMalware-Importer	📦 Recorded Future
RecordedFuture-TIforDefenderEndpoint (DEPRECATED)	📄 Standalone Content
RecordedFuture-Ukraine-IndicatorProcessor	📦 Recorded Future
RecordedFuture-URL-IndicatorImport	📦 Recorded Future
RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor	📦 Recorded Future
RecordedFuture_IP_SCF_ImportToDefenderEndpoint (DEPRECATED)	📄 Standalone Content
RecordedFuture_IP_SCF_IndicatorProcessor (DEPRECATED)	📄 Standalone Content
Relate alerts to incident by IP	📦 SentinelSOARessentials
Remediate assets on prisma cloud	📦 PaloAltoPrismaCloud
Remove-MDEAppExecution	📄 Standalone Content
Remove-MDEAppExecution	📄 Standalone Content
Reopen-Incident-With-Incomplete-Tasks	📄 Standalone Content
Reset Microsoft Entra ID User Password - Alert Trigger	📦 Microsoft Entra ID
Reset Microsoft Entra ID User Password - Entity trigger	📦 Microsoft Entra ID
Reset Microsoft Entra ID User Password - Incident Trigger	📦 Microsoft Entra ID
Response on Okta user from Teams	📦 Okta Single Sign-On
Response on Teams - HaveIBeenPwned	📄 Standalone Content
Restore From Last Cohesity Snapshot	📦 CohesitySecurity
Restrict MDE App Execution - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE App Execution - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Domain - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Domain - Entity Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Domain - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE FileHash - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE FileHash - Entity Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE FileHash - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Ip Address - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Ip Address - Entity Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Ip Address - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Url - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE URL - Entity Triggered	📦 MicrosoftDefenderForEndpoint
Restrict MDE Url - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Retrieve Alert from Microsoft Sentinel and Trigger a Blink Workflow via Webhook	📦 BlinkOps
Retrieve Incident from Microsoft Sentinel and Trigger a Blink Workflow via Webhook	📦 BlinkOps
ReversingLabs-CheckQuota	📦 ReversingLabs
Revoke Entra ID Sign-in session using entity trigger	📦 Microsoft Entra ID
Revoke Entra ID SignIn Sessions - incident trigger	📦 Microsoft Entra ID
Revoke-Entra ID SignInSessions alert trigger	📦 Microsoft Entra ID
RFI-add-EntraID-security-group-user	📦 Recorded Future Identity
RFI-confirm-EntraID-risky-user	📦 Recorded Future Identity
RFI-lookup-and-save-user	📦 Recorded Future Identity
RFI-Playbook-Alert-Importer	📦 Recorded Future Identity
RFI-Playbook-Alert-Importer-LAW	📦 Recorded Future Identity
RFI-Playbook-Alert-Importer-LAW-Sentinel (DEPRECATED)	📦 Recorded Future Identity
RFI-search-external-user	📦 Recorded Future Identity
RFI-search-workforce-user	📦 Recorded Future Identity
RiskIQ Data Summary Alert	📦 RiskIQ
RiskIQ Data Summary Incident	📦 RiskIQ
RiskIQ-Automated-Triage-Alert	📦 RiskIQ
RiskIQ-Automated-Triage-Incident	📦 RiskIQ
RiskIQ-Base	📦 RiskIQ
RiskIQ-Data-PassiveDns	📦 RiskIQ
RiskIQ-Data-PassiveDns-Domain	📦 RiskIQ
RiskIQ-Data-PassiveDns-Ip	📦 RiskIQ
RiskIQ-Data-Summary-Domain-alert	📦 RiskIQ
RiskIQ-Data-Summary-Domain-incident	📦 RiskIQ
RiskIQ-Data-Summary-Ip-Alert	📦 RiskIQ
RiskIQ-Data-Summary-Ip-Incident	📦 RiskIQ
RiskIQ-Data-Whois	📦 RiskIQ
RiskIQ-Data-Whois-Domain	📦 RiskIQ
RiskIQ-Data-Whois-Ip	📦 RiskIQ
RiskIQ-Intel-Reputation-Alert	📦 RiskIQ
RiskIQ-Intel-Reputation-Domain-Alert	📦 RiskIQ
RiskIQ-Intel-Reputation-Domain-Incident	📦 RiskIQ
RiskIQ-Intel-Reputation-Incident	📦 RiskIQ
RiskIQ-Intel-Reputation-Ip-Alert	📦 RiskIQ
RiskIQ-Intel-Reputation-Ip-Incident	📦 RiskIQ
RiskIQ-Intel-Summary-Alert	📦 RiskIQ
RiskIQ-Intel-Summary-Domain-Alert	📦 RiskIQ
RiskIQ-Intel-Summary-Domain-Incident	📦 RiskIQ
RiskIQ-Intel-Summary-Incident	📦 RiskIQ
RiskIQ-Intel-Summary-Ip-Alert	📦 RiskIQ
RiskIQ-Intel-Summary-Ip-Incident	📦 RiskIQ
Rubrik Advanced Threat Hunt	📦 RubrikSecurityCloud
Rubrik Anomaly Analysis	📦 RubrikSecurityCloud
Rubrik Anomaly Generate Downloadable Link	📦 RubrikSecurityCloud
Rubrik Anomaly Incident Response	📦 RubrikSecurityCloud
Rubrik Data Object Discovery	📦 RubrikSecurityCloud
Rubrik File Object Context Analysis	📦 RubrikSecurityCloud
Rubrik Fileset Ransomware Discovery	📦 RubrikSecurityCloud
Rubrik IOC Scan	📦 RubrikSecurityCloud
Rubrik Poll Async Result	📦 RubrikSecurityCloud
Rubrik Ransomware Discovery and File Recovery	📦 RubrikSecurityCloud
Rubrik Ransomware Discovery and VM Recovery	📦 RubrikSecurityCloud
Rubrik Retrieve User Intelligence Information	📦 RubrikSecurityCloud
Rubrik Turbo Threat Hunt	📦 RubrikSecurityCloud
Rubrik Update Anomaly Status	📦 RubrikSecurityCloud
Rubrik Update Anomaly Status Via Incident	📦 RubrikSecurityCloud
Rubrik User Intelligence Analysis	📦 RubrikSecurityCloud
RubrikWorkloadAnalysis	📦 RubrikSecurityCloud
Run MDE Antivirus - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Run MDE Antivirus - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Run-AzureVMPacketCapture	📄 Standalone Content
Run-Notebook-After-Incident-Creation	📄 Standalone Content

S

Name	Source
SAP - Lock User (Agentless Basic) ⚠️	📦 SAP
Search for Breaches - ShadowByte Aria	📦 ShadowByte Aria
Security workflow: alert verification with workload owners	📦 Microsoft Business Applications
Send basic email	📦 SentinelSOARessentials
Send Email - HaveIBeenPwned	📄 Standalone Content
Send email with formatted incident report	📦 SentinelSOARessentials
Send incident email with XDR Portal links	📦 SentinelSOARessentials
Send incident Teams Adaptive Card with XDR Portal links	📦 SentinelSOARessentials
Send Ingestion Cost Anomaly Alert	📄 Standalone Content
Send Microsoft Sentinel Incident To Cyware Orchestrate	📦 Cyware
Send Teams Adaptive Card on incident creation	📦 SentinelSOARessentials
Send Teams Adaptive Card on incident creation	📦 Teams
Send to Security Graph API - Batch Import (OpenCTI)	📦 OpenCTI
Send Unhealthy Azure Arc Resource Alert	📄 Standalone Content
Send-AnalyticalRulesHealthNotifications	📄 Standalone Content
Send-AzCommunicationsSMSMessage	📄 Standalone Content
Send-AzCommunicationsSMSMessage	📄 Standalone Content
Send-Sentinel-Alerts-to-Salem	📦 SalemCyber
Send-UrlReport	📄 Standalone Content
SendEmailonRSAIDPlusAlert	📦 RSAIDPlus_AdminLogs_Connector
ServiceNow TISC Batch Indicator Uploader	📦 ServiceNow TISC
ServiceNow TISC Import Observables from TISC	📦 ServiceNow TISC
ServiceNow TISC Incident Enrichment	📦 ServiceNow TISC
Shodan - Enrich Domain Name	📦 Shodan
Shodan - Enrich Incident IPs and Domain Names	📦 Shodan
Shodan - Enrich IP Address	📦 Shodan
SIGNL4 Alerting and Response	📦 SIGNL4
SlashNext Phishing Incident Investigation Playbook	📦 SlashNext
SlashNext Security Events for Microsoft Sentinel - Get customer incidents and log	📦 SlashNext SIEM
SlashNext Web Access Log Assessment	📦 SlashNext
SOCRadar-Alarm-Import	📦 SOCRadar
SOCRadar-Alarm-Sync	📦 SOCRadar
SpectraAnalyze-EnrichFileHash	📦 ReversingLabs
SpectraAnalyze-EnrichNetworkEntities	📦 ReversingLabs
SpectraIntelligence-EnrichFileHash	📦 ReversingLabs
SpectraIntelligence-EnrichNetworkEntities	📦 ReversingLabs
spur_alert	📄 Standalone Content
spur_alert	📄 Standalone Content
SpyCloud Breach Information - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
SpyCloud Malware Information - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
SpyCloud Watachlist data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection
Start-MDEAutomatedInvestigation	📄 Standalone Content
Start-MDEAutomatedInvestigation	📄 Standalone Content
Summarize Data for DNS Essentials Solution	📦 DNS Essentials
Summarize Data for Network Session Essentials	📦 Network Session Essentials
Summarize Web Session Data	📦 Web Session Essentials
Sync - Incident Comment To M365D On Update	📄 Standalone Content
Sync Jira from Sentinel - Create incident	📦 AtlassianJiraAudit
Sync Jira to Sentinel - Assigned User	📦 AtlassianJiraAudit
Sync Jira to Sentinel - public comments	📦 AtlassianJiraAudit
Sync Jira to Sentinel - Status	📦 AtlassianJiraAudit
Sync-Comments-to-M365Defender	🔗 GitHub Only

T

Name	Source
TacitRed to CrowdStrike IOC Automation	📦 TacitRed-IOC-CrowdStrike
TacitRed to Defender TI	📦 TacitRed-Defender-ThreatIntelligence
TacitRed to SentinelOne IOC Automation	📦 TacitRed-SentinelOne
Tanium-ComplyFindings	📦 Tanium
Tanium-GeneralHostInfo	📦 Tanium
Tanium-ListSecurityPatches	📦 Tanium
Tanium-MSDefenderHealth	📦 Tanium
Tanium-QuarantineHosts	📦 Tanium
Tanium-ResolveThreatResponseAlert	📦 Tanium
Tanium-SCCMClientHealth	📦 Tanium
Tanium-UnquarantineHosts	📦 Tanium
Team Cymru Scout Create Incident And Notify	📦 Team Cymru Scout
Team Cymru Scout Enrich Incident	📦 Team Cymru Scout
Team Cymru Scout Live Investigation	📦 Team Cymru Scout
Tenable VM - Enrich incident with asset info	📦 Tenable App
Tenable VM - Enrich incident with vulnerability info	📦 Tenable App
Tenable VM - Launch Scan	📦 Tenable App
Tenable.io - Enrich incident with asset info	📦 TenableIO
Tenable.io - Enrich incident with vulnerability info	📦 TenableIO
Tenable.io - Launch Scan	📦 TenableIO
The Hive - Create alert	📦 TheHive
The Hive - Create case	📦 TheHive
The Hive - Lock user	📦 TheHive
Thinkst Canary Microsoft Sentinel Alert Integration	📄 Standalone Content
TritonPlayook	🔗 GitHub Only

U

Name	Source
Unisolate MDE Machine - Alert Triggered	📦 MicrosoftDefenderForEndpoint
Unisolate MDE Machine - Incident Triggered	📦 MicrosoftDefenderForEndpoint
Unisolate MDE Machine using entity trigger	📦 MicrosoftDefenderForEndpoint
Update Watchlist - CVE IPs by GreyNoise	📄 Standalone Content
Update-BulkIncidents	📄 Standalone Content
Update-VIPUsers-Watchlist-from-AzureAD-Group	📄 Standalone Content
Update-Watchlist-With-NamedLocations	🔗 GitHub Only
URL Enrichment - Cisco Meraki	📦 CiscoMeraki
URL Enrichment - Virus Total Domain Report - Alert Triggered	📦 VirusTotal
URL Enrichment - Virus Total Domain Report - Incident Triggered	📦 VirusTotal
URL Enrichment - Virus Total Report - Alert Triggered	📦 VirusTotal
URL Enrichment - Virus Total Report - Incident Triggered	📦 VirusTotal
URL Trigger Entity Analyzer	📦 SentinelSOARessentials
URLhaus-CheckHashAndEnrichIncident	📦 URLhaus
URLhaus-CheckHostAndEnrichIncident	📦 URLhaus
URLhaus-CheckURLAndEnrichIncident	📦 URLhaus
User enrichment - Okta	📦 Okta Single Sign-On
UserEnrichment.template	🔗 GitHub Only
Username Breach Data - SpyCloud Enterprise	📦 SpyCloud Enterprise Protection

V

Name	Source
Vectra Add Note To Entity	📦 Vectra XDR
Vectra Add Tag To Entity	📦 Vectra XDR
Vectra Add Tag To Entity All Detections	📦 Vectra XDR
Vectra Add Tag To Entity Selected Detections	📦 Vectra XDR
Vectra Assign Dynamic User To Entity	📦 Vectra XDR
Vectra Assign Static User To Entity	📦 Vectra XDR
Vectra Close Detections	📦 Vectra XDR
Vectra Decorate Incident Based On Tag	📦 Vectra XDR
Vectra Decorate Incident Based On Tags And Notify	📦 Vectra XDR
Vectra Download Pcap File To Storage	📦 Vectra XDR
Vectra Dynamic Assign Member To Group	📦 Vectra XDR
Vectra Dynamic Resolve Assignment	📦 Vectra XDR
Vectra Generate Access Token	📦 Vectra XDR
Vectra Incident Timeline Update	📦 Vectra XDR
Vectra Mark Detections As Fixed	📦 Vectra XDR
Vectra Open Closed Detections	📦 Vectra XDR
Vectra Operate On Entity Source IP	📦 Vectra XDR
Vectra Static Assign Member To Group	📦 Vectra XDR
Vectra Static Resolve Assignment	📦 Vectra XDR
Vectra Update Incident Based on Tag And Notify	📦 Vectra XDR
Veeam-ChangeCollectionTime	📦 Veeam
Veeam-CollectConfigurationBackups	📦 Veeam
Veeam-CollectCovewareFindings	📦 Veeam
Veeam-CollectMalwareEvents	📦 Veeam
Veeam-CollectSecurityComplianceAnalyzerResult	📦 Veeam
Veeam-CollectVeeamAuthorizationEvents	📦 Veeam
Veeam-CollectVeeamONEAlarms	📦 Veeam
Veeam-FindCleanRestorePoints	📦 Veeam
Veeam-PerformConfigurationBackupOnIncident	📦 Veeam
Veeam-PerformInstantVMRecovery	📦 Veeam
Veeam-PerformScanBackup	📦 Veeam
Veeam-ResolveTriggeredAlarm	📦 Veeam
Veeam-SetupConnections	📦 Veeam
Veeam-StartQuickBackup	📦 Veeam
Veeam-StartSecurityComplianceAnalyzer	📦 Veeam
VMRay Email Attachment Analyis	📦 VMRay
VMRay URL Analyis	📦 VMRay

W

Name	Source
Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger	📦 Watchlists Utilities
Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger	📦 Watchlists Utilities
Watchlist - close incidents with safe IPs	📦 Watchlists Utilities
Watchlist-SendSQLData-Watchlist	📄 Standalone Content
Watchlists - Inform Subscription Owner	📦 Watchlists Utilities
workflow ⚠️	📦 SAP
workflow ⚠️	📦 SAP

Z

Name	Source
Zscaler OAuth2 Authentication	📦 Zscaler Internet Access
Zscaler OAuth2 Blacklist URL	📦 Zscaler Internet Access
Zscaler OAuth2 Block IP	📦 Zscaler Internet Access
Zscaler OAuth2 Block URL	📦 Zscaler Internet Access
Zscaler OAuth2 Lookup IP	📦 Zscaler Internet Access
Zscaler OAuth2 Lookup URL	📦 Zscaler Internet Access
Zscaler OAuth2 Unblock IP	📦 Zscaler Internet Access
Zscaler OAuth2 Unblock URL	📦 Zscaler Internet Access
Zscaler URL category lookup	📄 Standalone Content
Zscaler-Oauth2-UnblacklistURL	📦 Zscaler Internet Access
Zscaler-Oauth2-WhitelistURL	📦 Zscaler Internet Access

⚠️ Items marked with ⚠️ are not listed in their Solution JSON file. They were discovered by scanning solution folders.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index