🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Supported Playbooks

automation playbooks


Note

Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.

Taegis™ XDR supports numerous integrations, including but not limited to:

Playbook Title Description
4me ITSM Alert Create a 4me Problem or Request based on a Taegis™ XDR Alert
4me ITSM Investigation Create a 4me Problem or Request based on a Taegis™ XDR Investigation
4me ITSM Investigation Sync Sync 4me Problem or Request with Security Response Investigations
AD Change Password At Log On Change Password At Log On for an AD user using the LDAP(S) Protocol
AD Deactivate Change Password At Log On Deactivate Change Password At Log On for an AD user using the LDAP(S) Protocol
AD Disable User Disable User account for an AD using the LDAP(S) Protocol
AD Enable User Enable User account for an AD using the LDAP(S) Protocol
AD/LDAP Change Password Change Password for an AD/LDAP user using the LDAP(S) Protocol
AD/LDAP Look Up User Look up an AD/LDAP user using the LDAP(S) Protocol
Alert Email Notification Send email notifications for alerts
Alert Email Notification with Google Gmail Send email notifications for alerts with Google Gmail API
Alert ITSM Sync ServiceNow Alert to ITSM Incident Sync
Alert SIR Sync ServiceNow Alert to Security Incident Sync
Amazon Web Services Disable User Access Keys Amazon Web Services Disable User Access Keys
Amazon Web Services Disable User Login Disable AWS Console login for a specific user
Amazon Web Services Disable User MFA Devices Remove MFA Device for a specific AWS user
Amazon Web Services Enable User Access Keys Amazon Web Services Enable User Access Keys
Amazon Web Services Enable User Login AWS Console create a new login profile with a predefined password for a specific user
Amazon Web Services Look Up User Look up an Amazon Web Services User
Amazon Web Services Update IP Set Block/unblock an IP address in AWS WAF
Automated Action AD Change Password At Log On Automatically change password at log on for on all users in an alert using using the LDAP(S) Protocol
Automated Action AD Disable User Automatically disable all users in an alert using using the LDAP(S) Protocol
Automated Action Azure AD Disable User Automatically disable all users in an alert using the Microsoft Graph API
Automated Action Azure AD Force Password Reset Automatically force a password reset on all users in an alert using the Microsoft Graph API
Automated Action Isolate Host Red Cloak Automated Action Isolate Host Red Cloak
Automated Action Isolate Host Taegis Agent Automated Action Isolate Host Taegis Agent
Azure AD Disable User Disable Azure AD user account using the Microsoft Graph API
Azure AD Enable User Enable Azure AD user account using the Microsoft Graph API
Azure AD Force Password Reset Force a password reset on an Azure AD user account using the Microsoft Graph API
Azure AD Look Up User Look up an Azure AD user using the Microsoft Graph API
Azure OpenAI Enrich Investigation Enrich the key findings of an investigation via Azure OpenAI
Block File Hash Carbon Black EDR Block a file hash on Carbon Black EDR
Block File Hash Red Cloak Block a file hash on Red Cloak
Block IP Cisco Meraki Block IP in Cisco Meraki activity
Block IP PaloAlto Networks PAN-OS Block IP in PaloAlto Networks PAN-OS activity
Block IP Secureworks iSensor Block IP in Secureworks iSensor activity
Carbon Black EDR - Block Filehash Carbon Black EDR (Endpoint Detection and Response) Block Filehash
Carbon Black EDR - Unblock Filehash Carbon Black EDR (Endpoint Detection and Response) Unblock Filehash
CB Cloud - Isolate VMWare Carbon Black Cloud Isolate
CB Cloud - Undo Isolate Host VMWare Carbon Black Cloud Undo Isolate Host
Change Password At Next Login Google Workspace Admin SDK API Enable Change Password At Next Login for a user using Google Workspace Admin SDK API
Change Password Google Workspace Admin SDK API Change Password of a user using Google Workspace Admin SDK API
Cisco Meraki Activities Block and unblock resources in Cisco Meraki
Comments To Email Notification Send Taegis Investigation Comments via an Email
Comments To Mattermost Notification Send Taegis Investigation Comments To Mattermost
Comments To Microsoft Teams Notification Send Taegis Investigation Comments To Microsoft Teams
Comments To Salesforce Slack Notification Send Taegis Investigation Comments To Salesforce Slack
Comments To ServiceNow WorkNote Send Taegis Investigation Comments To ServiceNow WorkNote
Cortex XSOAR Investigation Sync Sync Taegis™ XDR investigations to Cortex XSOAR incidents
Create Investigations from Alerts Create Taegis™ XDR Investigations from Alerts
Create ServiceNow User Create ServiceNow User
CrowdStrike Falcon Endpoint - Isolate CrowdStrike Falcon Endpoint Protection Isolate
CrowdStrike Falcon Endpoint - Undo Isolate CrowdStrike Falcon Endpoint Protection Undo Isolate Host
Deactivate Change Password At Next Login Google Workspace Admin SDK API Deactivate Change Password At Next Login for a user using Google Workspace Admin SDK API
Deactivate ServiceNow User Deactivate ServiceNow User
Endpoint Tagging This playbook can be used to add/remove tags to any number of endpoints.
Endpoint Tagging - Multi Allow running Endpoint Tagging playbooks multiple times for different criteria
Entity Response Block File Hash Enables the Block File Hash response action on file hashes
Entity Response Block IP Enables the Block IP response action on IP addresses
Entity Response Isolate Host Enables the Isolate Host response action on hosts
Entity Response UnBlock File Hash Enables the UnBlock File Hash response action on file hashes
Entity Response UnBlock IP Enables the UnBlock IP response action on IP addresses
Entity Response UnIsolate Host Enables the UnIsolate Host response action on hosts
EverBridge Alert Incident Create an EverBridge Incident based on a Taegis™ XDR Alert
EverBridge Investigation Incident Create an EverBridge Incident based on a Taegis™ XDR Investigation
Freshdesk Investigation Sync Sync Taegis investigations with Freshdesk incidents
Freshservice Alert Ticket Create a Freshservice Ticket based on a Taegis Alert
Freshservice Investigation Sync Sync Taegis investigations with Freshservice tickets
Freshservice Investigation Ticket Create a Freshservice Ticket based on a Taegis Investigation
Generic Webhook Post all inputs to a webhook URL
Halo ITSM Investigation Synch Synch Taegis™ XDR Investigations with Halo ITSM incidents
Health Event Investigation Create Taegis Investigations from Health Events
Investigation CrowdStrikeFalcon Incident Sync Sync Investigations to CrowdStrikeFalcon Incidents
Investigation Email Notification Send email notifications for investigations
Investigation Email Notification with Google Gmail Send email notifications for Investigation with Google Gmail API
Investigation ITSM Sync ServiceNow Investigation 1-way Sync to ITSM Incidents
Investigation Service Now MultiTeam Sync Investigation ServiceNow MultiTeam Sync
Investigation SIR Sync ServiceNow Investigation Sync to Security Incident Response
Investigation SMAX Sync Taegis Investigation sync to Microfocus SMAX ticket
Investigations Email Report Email report about Taegis Investigations
iSensor Block Block (shun) a specific IP address on a Secureworks iSensor
iSensor Firewall Modification Perform various iSensor firewall related actions
iSensor Unblock Unblock (unshun) a specific IP address on a Secureworks iSensor
Isolate Host Red Cloak Isolate a Red Cloak host
Isolate Host Taegis Isolate a Taegis host
Jira Alert Issue Create an Atlassian Jira Issue based on a Taegis™ XDR Alert
Jira Investigation Issue Create an Atlassian Jira Issue based on a Taegis™ XDR Investigation
Jira Investigation Sync Sync Jira issue with Security Response Investigations
JupiterOne Investigation AWS Instance Enrichment Enrich an investigation with AWS instance context from JupiterOne
Look Up User Google Workspace Admin SDK API Look up a user using Google Workspace Admin SDK API
Look Up User Microsoft Azure Look up a Microsoft Azure user activity
Look Up User Taegis Look up a Taegis user activity
Look Up Users Taegis Look up one or more Taegis users activity
ManageEngine ServiceDesk Plus Alert Playbook used to create Requests with ManageEngine Service Desk Plus from Taegis™ XDR Alerts
ManageEngine ServiceDesk Plus Investigation Sync Playbook used to sync Investigations with ManageEngine Service Desk Plus Requests
MD ATP - Block Filehash Globally Microsoft Defender ATP Block Filehash Globally
MD ATP - Host Response Action Perform various response actions against a Microsoft Defender host
MD ATP - Isolate Microsoft Defender ATP Isolate
MD ATP - Single Endpoint Filehash Block Microsoft Defender ATP Block Filehash on a Single Endpoint
MD ATP - Undo Isolate Host Microsoft Defender ATP Undo Isolate Host
Microsoft Teams Notification Send a Microsoft Teams notification via webhook
Notifications via Google Workspace Chat Send Taegis notifications to Google Workspace Chat webhook
OpenAI Enrich Investigation Enrich the key findings of an investigation via OpenAI
Opsgenie Taegis™ XDR Alert Create an Atlassian Opsgenie Alert or Incident based on a Taegis™ XDR Alert
Opsgenie Taegis™ XDR Investigation Create an Atlassian Opsgenie Alert or Incident based on a Taegis™ XDR Investigation
PagerDuty Alert Event Send a PagerDuty Event based on a Taegis™ XDR Alert
PagerDuty Investigation Event Send a PagerDuty Event based on a Taegis™ XDR Investigation
PagerDuty Investigation Sync Sync PagerDuty incidents with Security Response Investigations
Palo Alto Networks PAN-OS Block/Unblock Block and unblock IP/CIDR or Domain in Palo Alto Networks PAN-OS
RC - Isolate Red Cloak Isolate
RC - Undo Isolate Host Red Cloak Undo Isolate Host
RC Disable Process Disruption Disable a disrupt process (block filehash) rule in Red Cloak™ Endpoint Agent
RC Process Disruption Disrupt process (block filehash) in Red Cloak™ Endpoint Agent
Reactivate User Google Workspace Admin SDK API Reactivate a user using Google Workspace Admin SDK API
Salesforce Slack Notification Send a Salesforce Slack Notification via Webhook
SCADAfence Platform Investigation Enrichment Enrich a Taegis Investigation with SCADAfence alert/asset details
Sentinel One Threat Mitigation Response Actions Perform Threat Mitigation response actions against Taegis Alerts
SentinelOne - Host Response Actions Perform various response actions against a SentinelOne agent
ServiceNow Bidirectional Investigation Sync (Inbound) Update a Taegis Investigation based on data provided by Servicenow
ServiceNow Bidirectional Investigation Sync (Outbound) Sync an investigation with Servicenow utilizing Import Sets
Suspend User Google Workspace Admin SDK API Suspend a user using Google Workspace Admin SDK API
Taegis Agent - Isolate Taegis Agent Isolate
Taegis Agent - Restore Taegis Agent Restore from isolation
UnBlock File Hash Carbon Black EDR UnBlock a file hash on Carbon Black EDR
UnBlock File Hash Red Cloak UnBlock a file hash on Red Cloak
UnBlock IP Cisco Meraki UnBlock IP in Cisco Meraki activity
UnBlock IP PaloAlto Networks PAN-OS UnBlock IP in PaloAlto Networks PAN-OS activity
UnBlock IP Secureworks iSensor UnBlock IP in Secureworks iSensor activity
UnIsolate Host Red Cloak UnIsolate a Red Cloak host
UnIsolate Host Taegis UnIsolate a Taegis host
Update Investigation with Network Flow Summary Update Investigation with Network Flow Summary
Update ServiceNow User Generic ServiceNow user update
Update Taegis Investigation Allow for updating an existing Taegis investigation
xMatters Webhook Alert Trigger an xMatters event from an Alert via Webhook
xMatters Webhook Investigation Trigger an xMatters event from an Investigation via Webhook
Zendesk Investigation Sync Sync Taegis™ XDR Investigations with Zendesk incidents