| ProofpointTAP-CheckAccountInVAP |
ProofPointTap |
1 |
3 |
| 2S-MISP-Forwarder |
๐ Standalone |
1 |
0 |
| [[Deprecated]] Add Dynatrace Application Security Attack Source IP Address to Threat Intelligence |
Dynatrace |
1 |
0 |
| AbuseIPDB Enrich Incident By IP Info |
AbuseIPDB |
1 |
2 |
| AbuseIPDB Report IPs To AbuseIPDB After User Response In MSTeams |
AbuseIPDB |
1 |
1 |
| AD4IoT-AutoAlertStatusSync |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
0 |
| AD4IoT-AutoCloseIncidents |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
1 |
| AD4IoT-AutoCloseIncidents |
๐ GitHub Only |
1 |
1 |
| AD4IoT-AutoTriageIncident |
IoTOTThreatMonitoringwithDefenderforIoT |
2 |
0 |
| AD4IoT-CVEAutoWorkflow |
IoTOTThreatMonitoringwithDefenderforIoT |
2 |
0 |
| AD4IoT-MailByProductionLine |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
0 |
| AD4IoT-MailByProductionLine |
๐ GitHub Only |
1 |
0 |
| AD4IoT-NewAssetServiceNowTicket |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
0 |
| AD4IoT-NewAssetServiceNowTicket |
๐ GitHub Only |
1 |
0 |
| AD4IoT-SendEmailtoIoTOwner |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
5 |
| Add Asset to Protection - Zero Networks Segment |
ZeroNetworks |
1 |
2 |
| Add Block Outbound Rule - Zero Networks Acccess Orchestrator |
ZeroNetworks |
1 |
2 |
| Add Host To Watchlist - Alert Trigger |
Watchlists Utilities |
1 |
0 |
| Add Host To Watchlist - Incident Trigger |
Watchlists Utilities |
1 |
0 |
| Add IP Entity To Named Location |
๐ Standalone |
1 |
1 |
| Add IP Entity To Network Security Group |
๐ Standalone |
1 |
4 |
| Add IP To Watchlist - Alert Trigger |
Watchlists Utilities |
1 |
0 |
| Add IP To Watchlist - Incident Trigger |
Watchlists Utilities |
1 |
0 |
| Add URL - Netskope |
๐ Standalone |
1 |
3 |
| Add URL To Watchlist - Alert Trigger |
Watchlists Utilities |
1 |
0 |
| Add URL To Watchlist - Incident Trigger |
Watchlists Utilities |
1 |
0 |
| Add User To Watchlist - Alert Trigger |
Watchlists Utilities |
1 |
0 |
| Add User To Watchlist - Incident Trigger |
Watchlists Utilities |
1 |
0 |
| Advanced ServiceNow Teams Integration Playbook |
Teams |
1 |
0 |
| Affected-Key-Credentials-Scanner |
๐ Standalone |
1 |
1 |
| aggregate-ServiceNow-tickets |
๐ Standalone |
1 |
2 |
| AI-Commandline-Analysis |
๐ GitHub Only |
1 |
1 |
| Akamai Guardicore Incident-Enrichment โ one-click bootstrap |
Akamai Guardicore |
1 |
0 |
| Alert trigger empty playbook |
๐ Standalone |
1 |
0 |
| Armis Update Alert Status |
Armis |
1 |
0 |
| AS-Add-Azure-AD-User-Job-Title-to-Incident |
๐ Standalone |
1 |
2 |
| AS-Add-Domains-to-Zscaler-URL-Category |
๐ Standalone |
1 |
1 |
| AS-Add-Machine-Logon-Users-to-Incident |
๐ Standalone |
1 |
2 |
| AS-Azure-AD-Disable-User |
๐ Standalone |
1 |
1 |
| AS-Azure-AD-Enable-User |
๐ Standalone |
1 |
1 |
| AS-Azure-AD-Group |
๐ Standalone |
1 |
1 |
| AS-Block-GitHub-User |
๐ Standalone |
1 |
2 |
| AS-Block-Hash-in-Defender |
๐ Standalone |
1 |
2 |
| AS-Compromised-Machine-Tagging |
๐ Standalone |
1 |
1 |
| AS-Create-Opsgenie-Incident |
๐ Standalone |
1 |
0 |
| AS-Delete-App-Registration |
๐ Standalone |
1 |
1 |
| AS-Disable-Microsoft-Entra-ID-User-From-Entity |
๐ Standalone |
1 |
0 |
| AS-Enable-Microsoft-Entra-ID-User-From-Entity |
๐ Standalone |
1 |
0 |
| AS-Get-HostExposureLevel-From-MDE |
๐ Standalone |
1 |
2 |
| AS-IAM-Entra-ID-Master-Playbook |
๐ Standalone |
1 |
2 |
| AS-IAM-Master-Playbook |
๐ Standalone |
1 |
2 |
| AS-Import-Azure-AD-Group-Users-to-MS-Watchlist |
๐ Standalone |
1 |
2 |
| AS-Incident-IP-Matched-on-Watchlist |
๐ Standalone |
1 |
3 |
| AS-Incident-Response-Approval-Email |
๐ Standalone |
1 |
3 |
| AS-Incident-Spiderfoot-Scan |
๐ Standalone |
1 |
1 |
| AS-IP-Blocklist |
๐ Standalone |
1 |
1 |
| AS-IP-Blocklist-HTTP |
๐ Standalone |
1 |
1 |
| AS-IP-Blocklist-HTTP |
๐ Standalone |
1 |
1 |
| AS-IP-Blocklist-Remove-IPs |
๐ Standalone |
1 |
1 |
| AS-Make-GitHub-Repository-Private |
๐ Standalone |
1 |
2 |
| AS-MDE-Isolate-Machine |
๐ Standalone |
1 |
2 |
| AS-MDE-Unisolate-Machine |
๐ Standalone |
1 |
2 |
| AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTP |
๐ Standalone |
1 |
1 |
| AS-Microsoft-Entra-ID-Revoke-User-Sessions-HTTP |
๐ Standalone |
1 |
1 |
| AS-Okta-NetworkZoneUpdate |
๐ Standalone |
1 |
1 |
| AS-Okta-NetworkZoneUpdate-HTTP |
๐ Standalone |
1 |
1 |
| AS-Okta-Terminate-User-Sessions-HTTP |
๐ Standalone |
1 |
1 |
| AS-PagerDuty-Integration |
๐ Standalone |
1 |
0 |
| AS-Recurring-Host-Entity |
๐ Standalone |
1 |
2 |
| AS-Remove-Domains-from-Zscaler-URL-Category |
๐ Standalone |
1 |
1 |
| AS-Revoke-Entra-ID-User-Session-From-Entity |
๐ Standalone |
1 |
0 |
| AS-Revoke-Entra-ID-User-Session-From-Incident |
๐ Standalone |
1 |
2 |
| AS-Sign-Out-Google-User |
๐ Standalone |
1 |
3 |
| AS-Slack-Integration |
๐ Standalone |
1 |
0 |
| AS-Terminate-Okta-User-Sessions-From-Entity |
๐ Standalone |
1 |
0 |
| AS-Update-Okta-Network-Zone-From-Entity |
๐ Standalone |
1 |
0 |
| AWS - Disable S3 Bucket Public Access |
AWS_IAM |
1 |
1 |
| AWS Athena - Execute Query and Get Results |
AWSAthena |
1 |
1 |
| AWS IAM - Add tag to user |
AWS_IAM |
1 |
3 |
| AWS IAM - Delete access keys |
AWS_IAM |
1 |
3 |
| AWS IAM - Enrich incident with user info |
AWS_IAM |
1 |
3 |
| AWS Systems Manager - Get Missing Patches for EC2 Instances |
AWS Systems Manager |
1 |
3 |
| AWS Systems Manager - Get Missing Patches for EC2 Instances for given Hostname |
AWS Systems Manager |
1 |
1 |
| AWS Systems Manager - Get Missing Patches for EC2 Instances for given Private IP |
AWS Systems Manager |
1 |
1 |
| AWS Systems Manager - Run Automation Runbook |
AWS Systems Manager |
1 |
1 |
| AWS Systems Manager - Stop Managed EC2 Instances |
AWS Systems Manager |
1 |
3 |
| AWS Systems Manager - Stop Managed EC2 Instances Host Entity Trigger |
AWS Systems Manager |
1 |
1 |
| AWS Systems Manager - Stop Managed EC2 Instances IP Entity Trigger |
AWS Systems Manager |
1 |
1 |
| Azure Firewall - Add IP Address to Threat Intel Allow list |
Azure Firewall |
1 |
4 |
| Block AAD user or admin - Alert |
๐ Standalone |
1 |
0 |
| Block AAD user or admin - incident |
๐ Standalone |
1 |
0 |
| Block Device Client - Cisco Meraki |
CiscoMeraki |
1 |
3 |
| Block Entra ID user - Incident |
Microsoft Entra ID |
1 |
0 |
| Block IP & URL on fortiweb cloud |
Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel |
1 |
2 |
| Block IP & URL on ThreatX-WAF cloud |
ThreatXCloud |
1 |
4 |
| Block IP - Azure Firewall IP groups |
Azure Firewall |
1 |
4 |
| Block IP - Azure Firewall IP groups - Entity trigger |
Azure Firewall |
1 |
3 |
| Block IP - Cisco ASA |
CiscoASA |
1 |
3 |
| Block IP - Cisco ASA |
๐ Standalone |
1 |
3 |
| Block IP - Cisco Firepower |
Cisco Firepower EStreamer |
1 |
5 |
| Block IP - F5 BIG-IP |
๐ Standalone |
1 |
3 |
| Block IP - Palo Alto PAN-OS |
๐ Standalone |
1 |
3 |
| Block IP - Palo Alto PAN-OS - Entity trigger |
PaloAlto-PAN-OS |
1 |
2 |
| Block IP - Take Action from Teams - Cisco Firepower |
Cisco Firepower EStreamer |
1 |
6 |
| Block IP - Zscaler |
๐ Standalone |
1 |
2 |
| Block IP Address - Cisco Meraki |
CiscoMeraki |
1 |
3 |
| Block IP addresses - ForcepointNGFW |
๐ Standalone |
1 |
3 |
| Block IP addresses by Username - ForcepointNGFW |
๐ Standalone |
1 |
3 |
| Block IP in Exchange On-Prem |
๐ Standalone |
1 |
2 |
| Block Microsoft Entra ID user - Alert |
Microsoft Entra ID |
1 |
0 |
| Block Microsoft Entra ID user - Entity trigger |
Microsoft Entra ID |
1 |
0 |
| Block or Unblock IP addresses - ForcepointNGFW |
๐ Standalone |
1 |
4 |
| Block Risky/Compromised User From Entrust |
Entrust identity as Service |
1 |
3 |
| Block URL - Cisco Firepower |
Cisco Firepower EStreamer |
1 |
5 |
| Block URL - Cisco Meraki |
CiscoMeraki |
1 |
3 |
| Block URL - F5 BIG-IP |
๐ Standalone |
1 |
3 |
| Block URL - Palo Alto PAN-OS |
๐ Standalone |
1 |
3 |
| Block URL - Palo Alto Wildfire and PAN-OS |
๐ Standalone |
1 |
3 |
| Block URL From Teams - Palo Alto Wildfire and PAN-OS |
๐ Standalone |
1 |
3 |
| Block URLs - ForcepointNGFW |
๐ Standalone |
1 |
3 |
| Block_IPs_on_MDATP_Using_GraphSecurity |
๐ Standalone |
1 |
2 |
| BlockADOnPremUser |
๐ Standalone |
1 |
3 |
| BlockIP-Azure Firewall New Rule |
Azure Firewall |
1 |
4 |
| BlockIP-Azure Firewall New Rule - Entity trigger |
Azure Firewall |
1 |
3 |
| Censys Add Incident Comment |
Censys |
1 |
8 |
| Censys Alert Enrichment |
Censys |
1 |
3 |
| Censys Entity Enrichment - Certificate |
Censys |
1 |
1 |
| Censys Entity Enrichment - Host |
Censys |
1 |
1 |
| Censys Entity Enrichment - Web Property |
Censys |
1 |
1 |
| Censys Incident Enrichment |
Censys |
1 |
0 |
| Change Incident Severity |
๐ Standalone |
1 |
2 |
| Change-Incident-Severity |
๐ Standalone |
1 |
3 |
| Check Point EM - Importer (Alerts โ Sentinel Incidents) |
Check Point Cyberint Alerts |
1 |
2 |
| Check Point Exposure Management - Credential Leak Validation and Response |
Check Point Cyberint Alerts |
1 |
3 |
| Check Point Exposure Management - Exporter (Sentinel โ Argos) |
Check Point Cyberint Alerts |
1 |
2 |
| Check Point Exposure Management - Fetch Attachments On-Demand |
Check Point Cyberint Alerts |
1 |
2 |
| Check Point Exposure Management - IOC Enrichment and Triage |
Check Point Cyberint Alerts |
1 |
5 |
| Check Point Exposure Management - Manual Status Update (Sentinel โ Argos) |
Check Point Cyberint Alerts |
1 |
2 |
| Check Point Exposure Management - Phishing Takedown |
Check Point Cyberint Alerts |
1 |
4 |
| Check Point Exposure Management - Vulnerability Exploitation Monitoring |
Check Point Cyberint Alerts |
1 |
2 |
| CheckPhish - Get URL reputation |
CheckPhish by Bolster |
1 |
2 |
| checkpoint-add-host-to-group |
Check Point |
1 |
1 |
| Cisco ASA - Create or Inbound Access Rule On Interface |
CiscoASA |
1 |
3 |
| Cisco ASA - Create or Inbound Access Rule On Interface |
๐ Standalone |
1 |
3 |
| Cisco ASA - Create or remove access rules on an interface for IP Addresses |
CiscoASA |
1 |
3 |
| Cisco ASA - Create or remove access rules on an interface for IP Addresses |
๐ Standalone |
1 |
3 |
| CiscoISE-False Positives Clear Policies |
Cisco ISE |
1 |
1 |
| CiscoISE-SuspendGuestUser |
Cisco ISE |
1 |
2 |
| CiscoISE-TakeEndpointActionFromTeams |
Cisco ISE |
1 |
12 |
| CiscoSDWANIntrusionLogicAPP |
Cisco SD-WAN |
1 |
1 |
| CiscoSDWANLogicAPP |
Cisco SD-WAN |
1 |
0 |
| CiscoUmbrella-AddIpToDestinationList |
CiscoUmbrella |
1 |
0 |
| CiscoUmbrella-AssignPolicyToIdentity |
CiscoUmbrella |
1 |
0 |
| CiscoUmbrella-BlockDomain |
CiscoUmbrella |
1 |
2 |
| CiscoUmbrella-GetDomainInfo |
CiscoUmbrella |
1 |
0 |
| Close Cohesity Helios Incident |
CohesitySecurity |
1 |
0 |
| Close-Incident-MCAS |
๐ Standalone |
1 |
2 |
| Close-SentinelIncident-from-ServiceNow |
๐ Standalone |
1 |
1 |
| Cohesity Create or Update ServiceNow incident |
CohesitySecurity |
1 |
0 |
| Cohesity Incident Email |
CohesitySecurity |
1 |
0 |
| Comment-OriginAlertURL |
๐ GitHub Only |
1 |
1 |
| Comment_RemediationSteps |
๐ GitHub Only |
1 |
3 |
| Comment_RemediationSteps |
๐ GitHub Only |
1 |
2 |
| Commvault Disable Data Aging Logic App Playbook |
Commvault Security IQ |
1 |
0 |
| Commvault Disable SAML Provider Logic App Playbook |
Commvault Security IQ |
1 |
0 |
| Commvault Disable User Logic App Playbook |
Commvault Security IQ |
1 |
0 |
| Confirm Microsoft Entra ID Risky User - Alert Triggered |
Microsoft Entra ID Protection |
1 |
3 |
| Confirm Microsoft Entra ID Risky User - Incident Triggered |
Microsoft Entra ID Protection |
1 |
2 |
| ConnectorHealthApp |
๐ GitHub Only |
1 |
0 |
| Create an Attack Simulator training simulation for users who did not report a phishing attempt |
Microsoft Defender XDR |
1 |
0 |
| Create And Update Jira Issue |
AtlassianJiraAudit |
1 |
0 |
| Create And Update ServiceNow Record |
Servicenow |
1 |
0 |
| Create Incident From Microsoft Forms Response |
SentinelSOARessentials |
1 |
1 |
| Create Incident From Shared Mailbox |
SentinelSOARessentials |
1 |
1 |
| Create Indicator - Minemeld |
Minemeld |
1 |
6 |
| Create Indicator - OpenCTI |
OpenCTI |
1 |
6 |
| Create Jira Issue |
AzureSecurityBenchmark |
1 |
0 |
| Create Jira Issue |
CybersecurityMaturityModelCertification(CMMC)2.0 |
1 |
0 |
| Create Jira Issue |
MaturityModelForEventLogManagementM2131 |
1 |
0 |
| Create Jira Issue |
NISTSP80053 |
1 |
0 |
| Create Jira Issue |
ZeroTrust(TIC3.0) |
1 |
0 |
| Create Jira Issue alert-trigger |
AtlassianJiraAudit |
1 |
1 |
| Create Jira Issue incident-trigger |
AtlassianJiraAudit |
1 |
0 |
| Create Observable - EclecticIQ |
EclecticIQ |
1 |
6 |
| Create ServiceNow record - Alert trigger |
Servicenow |
1 |
1 |
| Create ServiceNow record - Incident trigger |
Servicenow |
1 |
0 |
| Create Zendesk ticket |
๐ Standalone |
1 |
0 |
| Create-AzureDevOpsTask |
AzureSecurityBenchmark |
1 |
1 |
| Create-AzureDevOpsTask |
CybersecurityMaturityModelCertification(CMMC)2.0 |
1 |
1 |
| Create-AzureDevOpsTask |
MaturityModelForEventLogManagementM2131 |
1 |
1 |
| Create-AzureDevOpsTask |
NISTSP80053 |
1 |
1 |
| Create-AzureDevOpsTask |
ZeroTrust(TIC3.0) |
1 |
1 |
| Create-AzureDevOpsTask-alert-trigger |
๐ Standalone |
1 |
1 |
| Create-AzureDevOpsTask-incident-trigger |
๐ Standalone |
1 |
1 |
| Create-AzureSnapshot |
๐ GitHub Only |
1 |
2 |
| Create-IBMResilientIncident |
๐ Standalone |
1 |
3 |
| Create-Incident-Logic-App |
๐ Standalone |
1 |
0 |
| Create-incident-on-missing-Data-Source |
๐ Standalone |
1 |
1 |
| credential-warning |
Flare |
1 |
0 |
| CrowdSecurity-Suspicious-Login-Detection |
๐ GitHub Only |
0 |
5 |
| Crowdstrike-ResponsefromTeams |
๐ Standalone |
1 |
3 |
| Cybersixgill-Alert-Status-Update |
Cybersixgill-Actionable-Alerts |
1 |
0 |
| Cyble-IOC_Enrichment-Playbook |
Cyble Vision |
1 |
1 |
| Cyble-Threat-Intel-Playbook |
๐ Standalone |
1 |
1 |
| Cyble-ThreatIntelligence-Ingest-Playbook |
Cyble Vision |
1 |
1 |
| CybleVisionAlert_Status_Update |
Cyble Vision |
1 |
0 |
| Cyjax Add Comment To Incident |
Cyjax |
1 |
3 |
| Cyjax Incident Enrichment |
Cyjax |
1 |
0 |
| DataminrPulseAlertEnrichment |
Dataminr Pulse |
1 |
2 |
| Dataverse: Add SharePoint sites to watchlist |
Microsoft Business Applications |
1 |
1 |
| Dataverse: Add user to blocklist (alert trigger) |
Microsoft Business Applications |
1 |
1 |
| Dataverse: Add user to blocklist (incident trigger) |
Microsoft Business Applications |
1 |
3 |
| Dataverse: Add user to blocklist using Outlook approval workflow |
Microsoft Business Applications |
1 |
4 |
| Dataverse: Add user to blocklist using Teams approval workflow |
Microsoft Business Applications |
1 |
4 |
| Dataverse: Remove user from blocklist |
Microsoft Business Applications |
1 |
1 |
| Dataverse: Send notification to manager |
Microsoft Business Applications |
1 |
3 |
| Delete Cohesity incident blobs |
CohesitySecurity |
1 |
0 |
| Delete-Cybersixgill-Alert |
Cybersixgill-Actionable-Alerts |
1 |
0 |
| Digital Shadows Playbook to Update Incident Status |
Digital Shadows |
1 |
4 |
| Dismiss Microsoft Entra ID Risky User - Alert Triggered |
Microsoft Entra ID Protection |
1 |
3 |
| Dismiss Microsoft Entra ID Risky User โ Incident Triggered |
Microsoft Entra ID Protection |
1 |
2 |
| DNSDB_Co_Located_Hosts |
Farsight DNSDB |
1 |
2 |
| DNSDB_Co_Located_IP_Address |
Farsight DNSDB |
1 |
2 |
| DNSDB_Historical_Address |
Farsight DNSDB |
1 |
2 |
| DNSDB_Historical_Hosts |
Farsight DNSDB |
1 |
2 |
| Domain ASIM Enrichment - DomainTools Iris Enrich |
DomainTools |
1 |
0 |
| Domain Breach Data - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
3 |
| Domain Enrichment - DomainTools Iris Enrich |
DomainTools |
1 |
5 |
| Domain Enrichment - DomainTools Iris Investigate |
DomainTools |
1 |
9 |
| DomainTools DNSDB Co-Located Hosts |
DomainTools |
1 |
4 |
| DomainTools DNSDB Co-Located IP Addresses |
DomainTools |
1 |
3 |
| DomainTools DNSDB Historical Hosts |
DomainTools |
1 |
3 |
| DomainTools DNSDB Historical IP Addresses |
DomainTools |
1 |
4 |
| ElasticSearch-EnrichIncident |
Elastic Search |
1 |
7 |
| Email Address Breach Data - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
3 |
| Endpoint enrichment - Carbon Black |
VMware Carbon Black Cloud |
1 |
2 |
| Endpoint enrichment - Crowdstrike |
CrowdStrike Falcon Endpoint Protection |
1 |
2 |
| Endpoint take action from Teams - Carbon Black |
VMware Carbon Black Cloud |
1 |
3 |
| Enrich Dynatrace Application Security Attack Incident |
Dynatrace |
1 |
0 |
| Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights |
Dynatrace |
1 |
0 |
| Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts |
Dynatrace |
1 |
0 |
| Enrich file hash entities - Intezer Analyze |
๐ Standalone |
1 |
5 |
| Enrich file hashes entities - MalwareBazaar |
๐ Standalone |
1 |
4 |
| Enrich Incident - EclecticIQ |
EclecticIQ |
1 |
6 |
| Enrich Incident - Zero Networks Acccess Orchestrator |
ZeroNetworks |
1 |
2 |
| Enrich Incidents - ShadowByte Aria |
ShadowByte Aria |
1 |
2 |
| Enrich MD5 and SHA1 entities - CIRCL hashlookup |
๐ Standalone |
1 |
4 |
| Enrich multiple entities - AlienVault-OTX |
๐ Standalone |
1 |
9 |
| Enrich-Sentinel-IPQualityScore-Email-Address-Reputation |
IPQualityScore |
1 |
3 |
| Enrich-Sentinel-IPQualityScore-IP-Address-Reputation |
IPQualityScore |
1 |
3 |
| Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation |
IPQualityScore |
1 |
3 |
| Enrich-Sentinel-IPQualityScore-URL-Reputation |
IPQualityScore |
1 |
3 |
| Enrich-SentinelIncident-MDATPTVM |
๐ Standalone |
1 |
4 |
| Enrich_Sentinel_IPQualityScore_Domain_Reputation |
IPQualityScore |
1 |
3 |
| EnrichIP-GeoInfo-Neustar |
Neustar IP GeoPoint |
1 |
2 |
| Enrichment IP - F5 BIG-IP |
๐ Standalone |
1 |
2 |
| Enrichment IP - Forcepoint |
๐ Standalone |
1 |
2 |
| Enrichment URL - Forcepoint |
๐ Standalone |
1 |
2 |
| Entity (IP, URL, FileHash) Enrichment - Minemeld |
Minemeld |
1 |
2 |
| Entity (IP, URL, FileHash, Account, Host) Enrichment - OpenCTI |
OpenCTI |
1 |
6 |
| Export all Incident Entities to TISC |
ServiceNow TISC |
1 |
0 |
| Export Domain Entity to TISC |
ServiceNow TISC |
1 |
0 |
| Export Hash Entity to TISC |
ServiceNow TISC |
1 |
0 |
| Export IP Entity to TISC |
ServiceNow TISC |
1 |
0 |
| Export URL Entity to TISC |
ServiceNow TISC |
1 |
0 |
| Fetch IP Details From Entrust |
Entrust identity as Service |
1 |
3 |
| Fetch IP Details From Entrust - Entity |
Entrust identity as Service |
1 |
2 |
| Fetch Security Posture from Prisma Cloud |
PaloAltoPrismaCloud |
1 |
3 |
| Fetch Threat Intel from fortiwebcloud |
Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel |
1 |
1 |
| Fetch Threat Intel from ThreatX |
ThreatXCloud |
1 |
2 |
| Fetch User Details From Entrust |
Entrust identity as Service |
1 |
3 |
| Fetch User Details From Entrust - Entity |
Entrust identity as Service |
1 |
2 |
| FileHash Enrichment - Palo Alto Wildfire |
๐ Standalone |
1 |
3 |
| FileHash Enrichment - Virus Total Report - Alert Triggered |
VirusTotal |
1 |
4 |
| FileHash Enrichment - Virus Total Report - Incident Triggered |
VirusTotal |
1 |
3 |
| Forescout-DNS_Sniff_Event_Playbook |
ForescoutHostPropertyMonitor |
1 |
1 |
| Fortinet-FortiGate-IPEnrichment |
Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel |
1 |
2 |
| Fortinet-FortiGate-ResponseOnBlockIP |
Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel |
1 |
4 |
| Fortinet-FortiGate-ResponseOnBlockURL |
Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel |
1 |
4 |
| Fortinet_IncidentEnrichment |
๐ GitHub Only |
1 |
2 |
| Fortinet_ResponseOnIP |
๐ GitHub Only |
1 |
4 |
| Fortinet_ResponseOnURL |
๐ GitHub Only |
1 |
4 |
| Four Playbook templates - F5BigIP |
๐ Standalone |
1 |
8 |
| GCP-DisableServiceAccountFromTeams |
GoogleCloudPlatformIAM |
1 |
12 |
| GCP-DisableServiceAccountKey |
GoogleCloudPlatformIAM |
1 |
1 |
| GCP-EnrichServiseAccountInfo |
GoogleCloudPlatformIAM |
1 |
1 |
| Generate-Incident-Logic-App |
๐ Standalone |
1 |
0 |
| Get Account Breaches - HaveIBeenPwned |
๐ Standalone |
1 |
2 |
| Get Sentinel Alerts Evidence - incident trigger |
๐ Standalone |
1 |
0 |
| Get Site Breaches - HaveIBeenPwned |
๐ Standalone |
1 |
2 |
| Get System Info - Palo Alto PAN-OS XML API |
PaloAlto-PAN-OS |
1 |
1 |
| Get System Info - Palo Alto PAN-OS XML API |
๐ Standalone |
1 |
1 |
| Get Threat PCAP - Palo Alto PAN-OS XML API |
PaloAlto-PAN-OS |
1 |
3 |
| Get Threat PCAP - Palo Alto PAN-OS XML API |
๐ Standalone |
1 |
1 |
| Get-AD4IoTDeviceCVEs - Alert |
๐ Standalone |
1 |
3 |
| Get-AD4IoTDeviceCVEs - Incident |
IoTOTThreatMonitoringwithDefenderforIoT |
1 |
2 |
| Get-AD4IoTDeviceCVEs - Incident |
๐ Standalone |
1 |
2 |
| Get-AlertEntitiesEnrichment |
๐ GitHub Only |
0 |
2 |
| Get-ASCRecommendations |
๐ Standalone |
1 |
4 |
| Get-ASCRecommendations |
๐ Standalone |
1 |
3 |
| Get-CompromisedPasswords |
๐ GitHub Only |
1 |
4 |
| Get-GeoFromIpAndTagIncident |
๐ Standalone |
1 |
4 |
| Get-GeoFromIpAndTagIncident |
๐ Standalone |
1 |
3 |
| Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo |
๐ GitHub Only |
1 |
7 |
| Get-MachineData-EDR-SOAR-ActionsOnMachine |
๐ GitHub Only |
1 |
1 |
| Get-MDATPVulnerabilities |
๐ GitHub Only |
1 |
3 |
| Get-MDEFileActivityWithin30Mins |
๐ GitHub Only |
1 |
4 |
| Get-MDEInvestigationPackage |
๐ Standalone |
1 |
3 |
| Get-MDEInvestigationPackage |
๐ Standalone |
1 |
2 |
| Get-MDEInvestigationPackage-Entity-Trigger |
๐ Standalone |
1 |
1 |
| Get-MDEProcessActivityWithin30Mins |
๐ GitHub Only |
1 |
4 |
| Get-MDEStatistics |
๐ Standalone |
1 |
6 |
| Get-MDEStatistics |
๐ Standalone |
1 |
5 |
| Get-Recipients-EmailMessageID-containing-URL |
๐ GitHub Only |
1 |
3 |
| Get-SentinelAlertsEvidence |
๐ Standalone |
1 |
0 |
| Get-SOC-Actions |
SOC-Process-Framework |
1 |
0 |
| Get-SOCActions |
๐ Standalone |
1 |
3 |
| Get-SOCTasks |
๐ Standalone |
1 |
5 |
| Get-VTURLPositivesComment |
๐ GitHub Only |
1 |
3 |
| Google Cloud Platform BigQuery - Create Wtchlist with BigQuery Table Data |
Google Cloud Platform BigQuery |
1 |
2 |
| Google Cloud Platform BigQuery - Enrich Incident with BigQuery Table Data |
Google Cloud Platform BigQuery |
1 |
1 |
| Google Cloud Platform BigQuery - Query BigQuery Table |
Google Cloud Platform BigQuery |
1 |
1 |
| Google Directory - Enrich Incident With User Info |
GoogleDirectory |
1 |
2 |
| Google Directory - Sign Out User |
GoogleDirectory |
1 |
3 |
| Google Directory - Suspend User |
GoogleDirectory |
1 |
3 |
| Google Threat Intelligence - Domain Enrichment |
Google Threat Intelligence |
1 |
1 |
| Google Threat Intelligence - FileHash Enrichment |
Google Threat Intelligence |
1 |
1 |
| Google Threat Intelligence - IOC Enrichment |
Google Threat Intelligence |
1 |
6 |
| Google Threat Intelligence - IOC Enrichment |
Google Threat Intelligence |
1 |
5 |
| Google Threat Intelligence - IoC Stream |
Google Threat Intelligence |
1 |
1 |
| Google Threat Intelligence - IP Enrichment |
Google Threat Intelligence |
1 |
1 |
| Google Threat Intelligence - Threat List |
Google Threat Intelligence |
1 |
1 |
| Google Threat Intelligence - URL Enrichment |
Google Threat Intelligence |
1 |
1 |
| GreyNoise-IP-CommunityEnrichment |
๐ Standalone |
1 |
5 |
| GreyNoise-IP-Enrichment |
๐ Standalone |
1 |
5 |
| Guardicore-ProcessIncidentEnrichment |
Akamai Guardicore |
1 |
0 |
| HaveIBeenPwnedEmail |
๐ Standalone |
1 |
4 |
| HYASInsight Enrich Incident By C2 Attribution |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By C2 Attribution |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By C2 Attribution Information |
HYAS |
1 |
4 |
| HYASInsight Enrich Incident By C2 Attribution Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By C2Attribution Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Dynamic DNS |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Dynamic DNS Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By DynamicDNS Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Geo Location Information |
HYAS |
1 |
4 |
| HYASInsight Enrich Incident By Malware Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Malware Sample Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By OS Indicator Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By OS Indicator Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By OS Indicator Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Passive DNS Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Passive Hash Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Passive Hash Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By Sample Data Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By SinkHole Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By SSL Certificate Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By SSL Certificate Information |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By WHOIS |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By WHOIS Current Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By WHOIS Info |
HYAS |
1 |
3 |
| HYASInsight Enrich Incident By WHOIS Info |
HYAS |
1 |
3 |
| IBMResilient-Incidents |
๐ Standalone |
1 |
4 |
| Identity Protection response from Teams |
Microsoft Entra ID Protection |
1 |
5 |
| Identity Protection response from Teams |
๐ Standalone |
1 |
5 |
| IdentityProtection-EmailResponse |
๐ Standalone |
1 |
3 |
| Illumio Containment Switch Playbook |
IllumioSaaS |
1 |
0 |
| Illumio Get Ven Details Playbook |
IllumioSaaS |
1 |
0 |
| Illumio Workload Quarantine Playbook |
IllumioSaaS |
1 |
0 |
| Illusive-SentinelIncident-Enrichment |
Illusive Active Defense |
1 |
6 |
| Illusive-SentinelIncident-Response |
Illusive Active Defense |
1 |
3 |
| Incident Assignment Shifts |
SentinelSOARessentials |
1 |
2 |
| Incident tasks - Microsoft Defender XDR BEC Playbook for SecOps |
SentinelSOARessentials |
1 |
0 |
| Incident tasks - Microsoft Defender XDR Phishing Playbook for SecOps |
SentinelSOARessentials |
1 |
0 |
| Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps |
SentinelSOARessentials |
1 |
0 |
| Incident trigger empty playbook |
๐ Standalone |
1 |
0 |
| Incident Trigger Entity Analyzer |
SentinelSOARessentials |
1 |
5 |
| Incident-Status-Sync-To-WDATP |
๐ GitHub Only |
0 |
2 |
| Infoblox Incident Enrichment Domains |
Infoblox Cloud Data Connector |
1 |
3 |
| Infoblox Incident Send Email |
Infoblox Cloud Data Connector |
1 |
1 |
| Infoblox SOC Get Insight Details |
Infoblox SOC Insights |
1 |
2 |
| Infoblox SOC Import Indicators TI |
Infoblox SOC Insights |
1 |
0 |
| Infoblox-Block-Allow-IP-Domain-Incident-Based |
Infoblox |
1 |
0 |
| Infoblox-DHCP-Lookup |
Infoblox |
1 |
8 |
| Infoblox-IPAM-Lookup |
Infoblox |
1 |
9 |
| Infoblox-SOC-Get-Insight-Details |
Infoblox |
1 |
2 |
| Infoblox-SOC-Import-Indicators-TI |
Infoblox |
1 |
0 |
| Infoblox-TIDE-Lookup-Comment-Enrichment |
Infoblox |
1 |
17 |
| Infoblox-TIDE-Lookup-Via-Incident |
Infoblox |
1 |
0 |
| Infoblox-TimeRangeBased-DHCP-Lookup |
Infoblox |
1 |
9 |
| InfrequentCountryTriage |
๐ GitHub Only |
0 |
3 |
| Ingest Microsoft Defender XDR insights into Dynatrace |
Dynatrace |
1 |
0 |
| Ingest Microsoft Sentinel Security Alerts into Dynatrace |
Dynatrace |
1 |
0 |
| Intel 471 Malware Intelligence to Sentinel |
Intel471 |
1 |
1 |
| IP Address Breach Data - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
3 |
| IP Address Enrichment - Cisco Meraki |
CiscoMeraki |
1 |
2 |
| IP Enrichment - DomainTools Parsed Whois |
DomainTools |
1 |
8 |
| IP Enrichment - Virus Total Report - Incident Triggered |
VirusTotal |
1 |
3 |
| IP Enrichment - Virus Total Report - Alert Triggered |
VirusTotal |
1 |
4 |
| IP Enrichment - Virus Total Report - Entity Trigger |
VirusTotal |
1 |
0 |
| IronNet_UpdateSentinelIncidents |
IronNet IronDefense |
1 |
3 |
| Isolate endpoint - Carbon Black |
VMware Carbon Black Cloud |
1 |
3 |
| Isolate endpoint - Crowdstrike |
CrowdStrike Falcon Endpoint Protection |
1 |
3 |
| Isolate endpoint - MDE - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Isolate MDE Machine - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
4 |
| Isolate MDE Machine using entity trigger |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Isolate-AzureStorageAccount |
๐ Standalone |
1 |
3 |
| Isolate-AzureVMtoNSG |
๐ Standalone |
1 |
3 |
| Isolate-AzVM |
๐ Standalone |
1 |
3 |
| Jamf Protect - Remote lock computer with Jamf Pro |
Jamf Protect |
1 |
1 |
| Jamf Protect - Set Alert to In Progress |
Jamf Protect |
1 |
1 |
| Jamf Protect - Set Alert to Resolved |
Jamf Protect |
1 |
1 |
| JoeSandbox File Analyis |
JoeSandbox |
1 |
3 |
| JoeSandbox URL Analyis |
JoeSandbox |
1 |
5 |
| Joshua Intel Enrichment File |
Joshua-Cyberiskvision |
1 |
3 |
| Joshua Intel Enrichment IP |
Joshua-Cyberiskvision |
1 |
3 |
| Joshua Intel Enrichment URL |
Joshua-Cyberiskvision |
1 |
3 |
| Log4jIndicatorProcessor |
Apache Log4j Vulnerability Detection |
1 |
1 |
| Logic Apps Custom Connector and Playbook templates - HaveIBeenPwned |
๐ Standalone |
1 |
10 |
| Logic Apps Custom Connector and Playbook templates - Palo Alto Wildfire and PAN-OS |
๐ Standalone |
1 |
9 |
| Logic Apps Custom Connectors and Playbook templates - ForcepointNGFW |
๐ Standalone |
1 |
17 |
| Lookout-DeviceCompliance-Remediation |
Lookout |
1 |
3 |
| Lookout-MobileThreat-NotifyAndEnrich |
Lookout |
1 |
3 |
| Lookout-SmishingAlert-UserNotify |
Lookout |
1 |
2 |
| MDTI-Automated-Triage |
Microsoft Defender Threat Intelligence |
1 |
6 |
| MDTI-Data-Cookies |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MDTI-Data-PassiveDns |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MDTI-Data-ReverseDnS |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MDTI-Data-Trackers |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MDTI-Data-WebComponents |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MDTI-Intel-Reputation |
Microsoft Defender Threat Intelligence |
1 |
4 |
| MTI Threat Actor Lookup |
๐ Standalone |
2 |
12 |
| Needs-Review-Incident-Email-Notification |
Armorblox |
1 |
0 |
| NetskopeWebTxErrorEmail |
Netskopev2 |
1 |
0 |
| new-inc-notification |
๐ Standalone |
1 |
0 |
| Notify Incident Owner in Microsoft Teams |
SentinelSOARessentials |
1 |
0 |
| Notify Sentinel Incident Creation and Update to Torq Webhook |
Torq |
1 |
0 |
| Notify When Incident Is Closed |
SentinelSOARessentials |
1 |
0 |
| Notify When Incident Is Reopened |
SentinelSOARessentials |
1 |
0 |
| Notify When Incident Severity Changed |
SentinelSOARessentials |
1 |
0 |
| Notify-ASCAlertAzureResource |
๐ Standalone |
1 |
1 |
| Notify-GovernanceComplianceTeam |
AzureSecurityBenchmark |
1 |
0 |
| Notify-GovernanceComplianceTeam |
ZeroTrust(TIC3.0) |
1 |
0 |
| Notify-InsiderRiskTeam |
MicrosoftPurviewInsiderRiskManagement |
1 |
0 |
| Notify-LogManagementTeam |
MaturityModelForEventLogManagementM2131 |
1 |
0 |
| Notify_GovernanceComplianceTeam |
CybersecurityMaturityModelCertification(CMMC)2.0 |
1 |
0 |
| Notify_GovernanceComplianceTeam |
NISTSP80053 |
1 |
0 |
| O365 - Block Malware file extensions |
Microsoft Defender for Office 365 |
1 |
2 |
| O365 - Block Sender Entity Trigger |
Microsoft Defender for Office 365 |
1 |
1 |
| O365 - Block Spam Domain |
Microsoft Defender for Office 365 |
1 |
3 |
| O365 - Block Suspicious Sender |
Microsoft Defender for Office 365 |
1 |
3 |
| O365 - Delete All Malicious Inbox Rule |
Microsoft Defender for Office 365 |
1 |
1 |
| Open-ServiceDeskPlusOnDemand-Ticket |
๐ Standalone |
1 |
1 |
| PaloAlto-PAN-OS-BlockIP |
PaloAlto-PAN-OS |
1 |
3 |
| PaloAlto-PAN-OS-BlockURL |
PaloAlto-PAN-OS |
1 |
3 |
| PaloAlto-PAN-OS-BlockURL-EntityTrigger |
PaloAlto-PAN-OS |
1 |
2 |
| PaloAlto-PAN-OS-GetURLCategoryInfo |
PaloAlto-PAN-OS |
1 |
2 |
| PaloAlto-PAN-OS-GetURLCategoryInfo |
๐ Standalone |
1 |
2 |
| PaloAltoXDR |
Palo Alto - XDR (Cortex) |
1 |
4 |
| Post Message Slack |
SentinelSOARessentials |
1 |
1 |
| Post Message Slack |
SentinelSOARessentials |
1 |
0 |
| Post Message Slack Via Webhook |
๐ Standalone |
1 |
0 |
| Post Message Teams |
SentinelSOARessentials |
1 |
1 |
| Post Message Teams |
SentinelSOARessentials |
1 |
0 |
| Post-Message-Slack |
SentinelSOARessentials |
1 |
1 |
| Post-Message-Teams |
SentinelSOARessentials |
1 |
1 |
| Post-Tags-And-Comments-To-Your-IntSights-Account |
๐ Standalone |
1 |
0 |
| Prompt Okta user |
Okta Single Sign-On |
1 |
4 |
| Prompt User - Alert |
Microsoft Entra ID |
1 |
5 |
| Prompt User - Incident |
Microsoft Entra ID |
1 |
4 |
| ProofpointTAP-AddForensicsInfoToIncident |
ProofPointTap |
1 |
1 |
| Pure Storage FlashBlade File System Snapshot |
Pure Storage |
1 |
2 |
| Pure Storage Protection Group Snapshot |
Pure Storage |
1 |
1 |
| Pure Storage User Deletion |
Pure Storage |
1 |
2 |
| Pure Storage Volume Snapshot |
Pure Storage |
1 |
1 |
| QualysVM-GetAssetDetails |
QualysVM |
1 |
2 |
| QualysVM-GetAssets-ByCVEID |
QualysVM |
1 |
1 |
| QualysVM-GetAssets-ByOpenPort |
QualysVM |
1 |
1 |
| QualysVM-LaunchVMScan-GenerateReport |
QualysVM |
1 |
2 |
| Query Azure Resource Graph and enrich sentinel incident |
๐ Standalone |
1 |
4 |
| Rapid7 Insight VM - Enrich incident with asset info |
Rapid7InsightVM |
1 |
2 |
| Rapid7 Insight VM - Enrich vulnerability info |
Rapid7InsightVM |
1 |
2 |
| Rapid7 Insight VM - Run scan |
Rapid7InsightVM |
1 |
3 |
| RecordedFuture-Alert-Importer |
Recorded Future |
1 |
2 |
| RecordedFuture-IOC_Enrichment |
Recorded Future |
1 |
4 |
| RecordedFuture-Playbook-Alert-Importer |
Recorded Future |
1 |
2 |
| RecordedFuture-Sandbox_Enrichment-Url |
Recorded Future |
1 |
2 |
| RecordedFuture-Sandbox_Outlook_Attachment |
Recorded Future |
1 |
2 |
| RecordedFuture-Sandbox_StorageAccount |
Recorded Future |
1 |
2 |
| RecordedFuture-ThreatIntelligenceImport |
Recorded Future |
1 |
1 |
| Relate alerts to incident by IP |
SentinelSOARessentials |
1 |
4 |
| Remediate assets on prisma cloud |
PaloAltoPrismaCloud |
1 |
2 |
| Remove-MDEAppExecution |
๐ Standalone |
1 |
4 |
| Remove-MDEAppExecution |
๐ Standalone |
1 |
3 |
| Reopen-Incident-With-Incomplete-Tasks |
๐ Standalone |
1 |
2 |
| Reset Microsoft Entra ID User Password - Alert Trigger |
Microsoft Entra ID |
1 |
0 |
| Reset Microsoft Entra ID User Password - Entity trigger |
Microsoft Entra ID |
1 |
0 |
| Reset Microsoft Entra ID User Password - Incident Trigger |
Microsoft Entra ID |
1 |
0 |
| Response on Okta user from Teams |
Okta Single Sign-On |
1 |
3 |
| Response on Teams - HaveIBeenPwned |
๐ Standalone |
1 |
3 |
| Restore From Last Cohesity Snapshot |
CohesitySecurity |
1 |
0 |
| Restrict MDE App Execution - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
4 |
| Restrict MDE App Execution - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Restrict MDE Domain - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Restrict MDE Domain - Entity Triggered |
MicrosoftDefenderForEndpoint |
1 |
0 |
| Restrict MDE Domain - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Restrict MDE FileHash - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
4 |
| Restrict MDE FileHash - Entity Triggered |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Restrict MDE FileHash - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Restrict MDE Ip Address - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Restrict MDE Ip Address - Entity Triggered |
MicrosoftDefenderForEndpoint |
1 |
0 |
| Restrict MDE Ip Address - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Restrict MDE Url - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Restrict MDE URL - Entity Triggered |
MicrosoftDefenderForEndpoint |
1 |
0 |
| Restrict MDE Url - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Retrieve Alert from Microsoft Sentinel and Trigger a Blink Workflow via Webhook |
BlinkOps |
1 |
0 |
| Retrieve Incident from Microsoft Sentinel and Trigger a Blink Workflow via Webhook |
BlinkOps |
1 |
0 |
| Revoke Entra ID Sign-in session using entity trigger |
Microsoft Entra ID |
1 |
0 |
| Revoke Entra ID SignIn Sessions - incident trigger |
Microsoft Entra ID |
1 |
2 |
| Revoke-Entra ID SignInSessions alert trigger |
Microsoft Entra ID |
1 |
3 |
| RFI-Playbook-Alert-Importer-LAW-Sentinel (DEPRECATED) |
Recorded Future Identity |
1 |
2 |
| RiskIQ Data Summary Alert |
RiskIQ |
1 |
5 |
| RiskIQ Data Summary Incident |
RiskIQ |
1 |
4 |
| RiskIQ-Automated-Triage-Alert |
RiskIQ |
1 |
7 |
| RiskIQ-Automated-Triage-Incident |
RiskIQ |
1 |
6 |
| RiskIQ-Data-PassiveDns |
RiskIQ |
1 |
5 |
| RiskIQ-Data-PassiveDns-Domain |
RiskIQ |
1 |
3 |
| RiskIQ-Data-PassiveDns-Ip |
RiskIQ |
1 |
3 |
| RiskIQ-Data-Summary-Domain-alert |
RiskIQ |
1 |
3 |
| RiskIQ-Data-Summary-Domain-incident |
RiskIQ |
1 |
2 |
| RiskIQ-Data-Summary-Ip-Alert |
RiskIQ |
1 |
3 |
| RiskIQ-Data-Summary-Ip-Incident |
RiskIQ |
1 |
2 |
| RiskIQ-Data-Whois |
RiskIQ |
1 |
5 |
| RiskIQ-Data-Whois-Domain |
RiskIQ |
1 |
3 |
| RiskIQ-Data-Whois-Ip |
RiskIQ |
1 |
3 |
| RiskIQ-Intel-Reputation-Alert |
RiskIQ |
1 |
5 |
| RiskIQ-Intel-Reputation-Domain-Alert |
RiskIQ |
1 |
3 |
| RiskIQ-Intel-Reputation-Domain-Incident |
RiskIQ |
1 |
2 |
| RiskIQ-Intel-Reputation-Incident |
RiskIQ |
1 |
4 |
| RiskIQ-Intel-Reputation-Ip-Alert |
RiskIQ |
1 |
3 |
| RiskIQ-Intel-Reputation-Ip-Incident |
RiskIQ |
1 |
2 |
| RiskIQ-Intel-Summary-Alert |
RiskIQ |
1 |
5 |
| RiskIQ-Intel-Summary-Domain-Alert |
RiskIQ |
1 |
3 |
| RiskIQ-Intel-Summary-Domain-Incident |
RiskIQ |
1 |
2 |
| RiskIQ-Intel-Summary-Incident |
RiskIQ |
1 |
4 |
| RiskIQ-Intel-Summary-Ip-Alert |
RiskIQ |
1 |
3 |
| RiskIQ-Intel-Summary-Ip-Incident |
RiskIQ |
1 |
2 |
| Rubrik Advanced Threat Hunt |
RubrikSecurityCloud |
1 |
2 |
| Rubrik Anomaly Analysis |
RubrikSecurityCloud |
1 |
2 |
| Rubrik Anomaly Generate Downloadable Link |
RubrikSecurityCloud |
1 |
2 |
| Rubrik Anomaly Incident Response |
RubrikSecurityCloud |
1 |
0 |
| Rubrik Retrieve User Intelligence Information |
RubrikSecurityCloud |
1 |
8 |
| Rubrik Turbo Threat Hunt |
RubrikSecurityCloud |
1 |
2 |
| Rubrik Update Anomaly Status Via Incident |
RubrikSecurityCloud |
1 |
2 |
| Rubrik User Intelligence Analysis |
RubrikSecurityCloud |
1 |
10 |
| RubrikWorkloadAnalysis |
RubrikSecurityCloud |
1 |
5 |
| Run MDE Antivirus - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
4 |
| Run MDE Antivirus - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Run-AzureVMPacketCapture |
๐ Standalone |
1 |
2 |
| Run-Notebook-After-Incident-Creation |
๐ Standalone |
1 |
0 |
| SAP - Lock User (Agentless Basic) |
SAP |
1 |
3 |
| Security workflow: alert verification with workload owners |
Microsoft Business Applications |
1 |
0 |
| Send basic email |
SentinelSOARessentials |
1 |
0 |
| Send Email - HaveIBeenPwned |
๐ Standalone |
1 |
3 |
| Send email with formatted incident report |
SentinelSOARessentials |
1 |
0 |
| Send incident email with XDR Portal links |
SentinelSOARessentials |
1 |
0 |
| Send incident Teams Adaptive Card with XDR Portal links |
SentinelSOARessentials |
1 |
0 |
| Send Microsoft Sentinel Incident To Cyware Orchestrate |
Cyware |
1 |
0 |
| Send Teams Adaptive Card on incident creation |
SentinelSOARessentials |
1 |
0 |
| Send Teams Adaptive Card on incident creation |
Teams |
1 |
0 |
| Send-AzCommunicationsSMSMessage |
๐ Standalone |
1 |
1 |
| Send-AzCommunicationsSMSMessage |
๐ Standalone |
1 |
0 |
| Send-Sentinel-Alerts-to-Salem |
SalemCyber |
1 |
1 |
| Send-UrlReport |
๐ Standalone |
1 |
2 |
| SendEmailonRSAIDPlusAlert |
RSAIDPlus_AdminLogs_Connector |
1 |
0 |
| ServiceNow TISC Batch Indicator Uploader |
ServiceNow TISC |
1 |
1 |
| ServiceNow TISC Incident Enrichment |
ServiceNow TISC |
1 |
1 |
| Shodan - Enrich Domain Name |
Shodan |
1 |
2 |
| Shodan - Enrich Incident IPs and Domain Names |
Shodan |
1 |
4 |
| Shodan - Enrich IP Address |
Shodan |
1 |
2 |
| SIGNL4 Alerting and Response |
SIGNL4 |
1 |
0 |
| SlashNext Phishing Incident Investigation Playbook |
SlashNext |
1 |
2 |
| SOCRadar-Alarm-Import |
SOCRadar |
0 |
1 |
| SpectraAnalyze-EnrichFileHash |
ReversingLabs |
1 |
2 |
| SpectraAnalyze-EnrichNetworkEntities |
ReversingLabs |
1 |
6 |
| SpectraIntelligence-EnrichFileHash |
ReversingLabs |
1 |
2 |
| SpectraIntelligence-EnrichNetworkEntities |
ReversingLabs |
1 |
6 |
| Spur IP Enrichment |
Spur |
1 |
4 |
| Spur IP Enrichment |
Spur |
1 |
3 |
| spur_alert |
๐ Standalone |
1 |
0 |
| spur_alert |
๐ Standalone |
1 |
0 |
| SpyCloud Breach Information - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
2 |
| SpyCloud Malware Information - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
3 |
| Start-MDEAutomatedInvestigation |
๐ Standalone |
1 |
3 |
| Start-MDEAutomatedInvestigation |
๐ Standalone |
1 |
2 |
| StealthTalk - Alert to Microsoft Teams |
StealthTalk |
1 |
0 |
| Sync - Incident Comment To M365D On Update |
๐ Standalone |
1 |
0 |
| Sync Jira from Sentinel - Create incident |
AtlassianJiraAudit |
1 |
1 |
| Sync Jira to Sentinel - Assigned User |
AtlassianJiraAudit |
1 |
1 |
| Sync Jira to Sentinel - public comments |
AtlassianJiraAudit |
1 |
1 |
| Sync Jira to Sentinel - Status |
AtlassianJiraAudit |
1 |
3 |
| Sync-Comments-to-M365Defender |
๐ GitHub Only |
1 |
0 |
| Tanium-ComplyFindings |
Tanium |
1 |
4 |
| Tanium-GeneralHostInfo |
Tanium |
1 |
4 |
| Tanium-ListSecurityPatches |
Tanium |
1 |
4 |
| Tanium-MSDefenderHealth |
Tanium |
1 |
4 |
| Tanium-QuarantineHosts |
Tanium |
1 |
8 |
| Tanium-ResolveThreatResponseAlert |
Tanium |
1 |
2 |
| Tanium-SCCMClientHealth |
Tanium |
1 |
4 |
| Tanium-UnquarantineHosts |
Tanium |
1 |
8 |
| Team Cymru Scout Create Incident And Notify |
Team Cymru Scout |
1 |
8 |
| Team Cymru Scout Enrich Incident |
Team Cymru Scout |
1 |
4 |
| Tenable VM - Enrich incident with asset info |
Tenable App |
1 |
2 |
| Tenable VM - Enrich incident with vulnerability info |
Tenable App |
1 |
2 |
| Tenable VM - Launch Scan |
Tenable App |
1 |
1 |
| Tenable.io - Enrich incident with asset info |
TenableIO |
1 |
2 |
| Tenable.io - Enrich incident with vulnerability info |
TenableIO |
1 |
2 |
| Tenable.io - Launch Scan |
TenableIO |
1 |
1 |
| The Hive - Create alert |
TheHive |
1 |
0 |
| The Hive - Create case |
TheHive |
1 |
2 |
| The Hive - Lock user |
TheHive |
1 |
6 |
| TritonPlayook |
๐ GitHub Only |
1 |
10 |
| Unisolate MDE Machine - Alert Triggered |
MicrosoftDefenderForEndpoint |
1 |
4 |
| Unisolate MDE Machine - Incident Triggered |
MicrosoftDefenderForEndpoint |
1 |
3 |
| Unisolate MDE Machine using entity trigger |
MicrosoftDefenderForEndpoint |
1 |
2 |
| Update Watchlist - CVE IPs by GreyNoise |
๐ Standalone |
1 |
5 |
| Update-BulkIncidents |
๐ Standalone |
1 |
4 |
| Update-VIPUsers-Watchlist-from-AzureAD-Group |
๐ Standalone |
1 |
0 |
| Update-Watchlist-With-NamedLocations |
๐ GitHub Only |
0 |
1 |
| URL Enrichment - Cisco Meraki |
CiscoMeraki |
1 |
2 |
| URL Enrichment - Virus Total Domain Report - Alert Triggered |
VirusTotal |
1 |
4 |
| URL Enrichment - Virus Total Domain Report - Incident Triggered |
VirusTotal |
1 |
3 |
| URL Enrichment - Virus Total Report - Alert Triggered |
VirusTotal |
1 |
4 |
| URL Enrichment - Virus Total Report - Incident Triggered |
VirusTotal |
1 |
3 |
| URL Trigger Entity Analyzer |
SentinelSOARessentials |
1 |
1 |
| URLhaus-CheckHashAndEnrichIncident |
URLhaus |
1 |
2 |
| URLhaus-CheckHostAndEnrichIncident |
URLhaus |
1 |
2 |
| URLhaus-CheckURLAndEnrichIncident |
URLhaus |
1 |
2 |
| User enrichment - Okta |
Okta Single Sign-On |
1 |
2 |
| Username Breach Data - SpyCloud Enterprise |
SpyCloud Enterprise Protection |
1 |
3 |
| Vectra Add Note To Entity |
Vectra XDR |
1 |
0 |
| Vectra Add Tag To Entity |
Vectra XDR |
1 |
0 |
| Vectra Add Tag To Entity All Detections |
Vectra XDR |
1 |
0 |
| Vectra Add Tag To Entity Selected Detections |
Vectra XDR |
1 |
0 |
| Vectra Assign Dynamic User To Entity |
Vectra XDR |
1 |
0 |
| Vectra Assign Static User To Entity |
Vectra XDR |
1 |
0 |
| Vectra Close Detections |
Vectra XDR |
1 |
1 |
| Vectra Decorate Incident Based On Tag |
Vectra XDR |
1 |
1 |
| Vectra Decorate Incident Based On Tags And Notify |
Vectra XDR |
1 |
1 |
| Vectra Download Pcap File To Storage |
Vectra XDR |
1 |
2 |
| Vectra Dynamic Resolve Assignment |
Vectra XDR |
1 |
0 |
| Vectra Incident Timeline Update |
Vectra XDR |
1 |
2 |
| Vectra Mark Detections As Fixed |
Vectra XDR |
1 |
1 |
| Vectra Open Closed Detections |
Vectra XDR |
1 |
1 |
| Vectra Operate On Entity Source IP |
Vectra XDR |
1 |
0 |
| Vectra Static Resolve Assignment |
Vectra XDR |
1 |
0 |
| Vectra Update Incident Based on Tag And Notify |
Vectra XDR |
1 |
0 |
| Veeam-ChangeCollectionTime |
Veeam |
1 |
1 |
| Veeam-CollectConfigurationBackups |
Veeam |
1 |
1 |
| Veeam-CollectCovewareFindings |
Veeam |
1 |
1 |
| Veeam-CollectMalwareEvents |
Veeam |
1 |
1 |
| Veeam-CollectSecurityComplianceAnalyzerResult |
Veeam |
1 |
1 |
| Veeam-CollectVeeamAuthorizationEvents |
Veeam |
1 |
1 |
| Veeam-CollectVeeamONEAlarms |
Veeam |
1 |
1 |
| Veeam-FindCleanRestorePoints |
Veeam |
1 |
2 |
| Veeam-PerformConfigurationBackupOnIncident |
Veeam |
1 |
3 |
| Veeam-PerformInstantVMRecovery |
Veeam |
1 |
3 |
| Veeam-PerformScanBackup |
Veeam |
1 |
2 |
| Veeam-ResolveTriggeredAlarm |
Veeam |
1 |
2 |
| Veeam-SetupConnections |
Veeam |
1 |
6 |
| Veeam-StartQuickBackup |
Veeam |
1 |
3 |
| VMRay Email Attachment Analyis |
VMRay |
1 |
3 |
| VMRay URL Analyis |
VMRay |
1 |
4 |
| Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger |
Watchlists Utilities |
1 |
0 |
| Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger |
Watchlists Utilities |
1 |
0 |
| Watchlist - close incidents with safe IPs |
Watchlists Utilities |
1 |
3 |
| Watchlists - Inform Subscription Owner |
Watchlists Utilities |
1 |
0 |
| workflow |
SAP |
0 |
4 |
| workflow |
SAP |
0 |
2 |
| Zscaler OAuth2 Blacklist URL |
Zscaler Internet Access |
1 |
0 |
| Zscaler OAuth2 Block IP |
Zscaler Internet Access |
1 |
2 |
| Zscaler OAuth2 Block URL |
Zscaler Internet Access |
1 |
2 |
| Zscaler OAuth2 Lookup IP |
Zscaler Internet Access |
1 |
1 |
| Zscaler OAuth2 Lookup URL |
Zscaler Internet Access |
1 |
1 |
| Zscaler OAuth2 Unblock IP |
Zscaler Internet Access |
1 |
2 |
| Zscaler OAuth2 Unblock URL |
Zscaler Internet Access |
1 |
2 |
| Zscaler URL category lookup |
๐ Standalone |
1 |
2 |
| Zscaler-Oauth2-UnblacklistURL |
Zscaler Internet Access |
1 |
0 |
| Zscaler-Oauth2-WhitelistURL |
Zscaler Internet Access |
1 |
0 |