Supported Playbooks
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.
XDR supports numerous integrations, including but not limited to:
Playbook Title | Description |
---|---|
4me ITSM Alert | Create a 4me Problem or Request based on a XDR Alert |
4me ITSM Investigation | Create a 4me Problem or Request based on a XDR Investigation |
4me ITSM Investigation Sync | Sync 4me Problem or Request with Security Response Investigations |
AD Change Password At Log On | Change Password At Log On for an AD user using the LDAP(S) Protocol |
AD Deactivate Change Password At Log On | Deactivate Change Password At Log On for an AD user using the LDAP(S) Protocol |
AD Disable User | Disable User account for an AD using the LDAP(S) Protocol |
AD Enable User | Enable User account for an AD using the LDAP(S) Protocol |
AD/LDAP Change Password | Change Password for an AD/LDAP user using the LDAP(S) Protocol |
AD/LDAP Look Up User | Look up an AD/LDAP user using the LDAP(S) Protocol |
Alert Email Notification | Send email notifications for alerts |
Alert Email Notification with Google Gmail | Send email notifications for alerts with Google Gmail API |
Alert ITSM Sync | ServiceNow Alert to ITSM Incident Sync |
Alert SIR Sync | ServiceNow Alert to Security Incident Sync |
Amazon Web Services Disable User Access Keys | Amazon Web Services Disable User Access Keys |
Amazon Web Services Disable User Login | Disable AWS Console login for a specific user |
Amazon Web Services Disable User MFA Devices | Remove MFA Device for a specific AWS user |
Amazon Web Services Enable User Access Keys | Amazon Web Services Enable User Access Keys |
Amazon Web Services Enable User Login | AWS Console create a new login profile with a predefined password for a specific user |
Amazon Web Services Look Up User | Look up an Amazon Web Services User |
Amazon Web Services Update IP Set | Block/unblock an IP address in AWS WAF |
Automated Action AD Change Password At Log On | Automatically change password at log on for on all users in an alert using using the LDAP(S) Protocol |
Automated Action AD Disable User | Automatically disable all users in an alert using using the LDAP(S) Protocol |
Automated Action Azure AD Disable User | Automatically disable all users in an alert using the Microsoft Graph API |
Automated Action Azure AD Force Password Reset | Automatically force a password reset on all users in an alert using the Microsoft Graph API |
Automated Action Isolate Host Red Cloak | Automated Action Isolate Host Red Cloak |
Automated Action Isolate Host Taegis Agent | Automated Action Isolate Host Taegis Agent |
Azure AD Disable User | Disable Azure AD user account using the Microsoft Graph API |
Azure AD Enable User | Enable Azure AD user account using the Microsoft Graph API |
Azure AD Force Password Reset | Force a password reset on an Azure AD user account using the Microsoft Graph API |
Azure AD Look Up User | Look up an Azure AD user using the Microsoft Graph API |
Azure OpenAI Enrich Investigation | Enrich the key findings of an investigation via Azure OpenAI |
Carbon Black EDR - Block Filehash | Carbon Black EDR (Endpoint Detection and Response) Block Filehash |
Carbon Black EDR - Unblock Filehash | Carbon Black EDR (Endpoint Detection and Response) Unblock Filehash |
CB Cloud - Isolate | VMWare Carbon Black Cloud Isolate |
CB Cloud - Undo Isolate Host | VMWare Carbon Black Cloud Undo Isolate Host |
Change Password At Next Login Google Workspace Admin SDK API | Enable Change Password At Next Login for a user using Google Workspace Admin SDK API |
Change Password Google Workspace Admin SDK API | Change Password of a user using Google Workspace Admin SDK API |
Cisco Meraki Activities | Block and unblock resources in Cisco Meraki |
Comments To Email Notification | Send Taegis Investigation Comments via an Email |
Comments To Mattermost Notification | Send Taegis Investigation Comments To Mattermost |
Comments To Microsoft Teams Notification | Send Taegis Investigation Comments To Microsoft Teams |
Comments To Salesforce Slack Notification | Send Taegis Investigation Comments To Salesforce Slack |
Comments To ServiceNow WorkNote | Send Taegis Investigation Comments To ServiceNow WorkNote |
Cortex XSOAR Investigation Sync | Sync XDR investigations to Cortex XSOAR incidents |
Create Investigations from Alerts | Create XDR Investigations from Alerts |
Create ServiceNow User | Create ServiceNow User |
CrowdStrike Falcon Endpoint - Isolate | CrowdStrike Falcon Endpoint Protection Isolate |
CrowdStrike Falcon Endpoint - Undo Isolate | CrowdStrike Falcon Endpoint Protection Undo Isolate Host |
Deactivate Change Password At Next Login Google Workspace Admin SDK API | Deactivate Change Password At Next Login for a user using Google Workspace Admin SDK API |
Deactivate ServiceNow User | Deactivate ServiceNow User |
Endpoint Tagging | This playbook can be used to add/remove tags to any number of endpoints. |
Endpoint Tagging - Multi | Allow running Endpoint Tagging playbooks multiple times for different criteria |
Entity Response Block Domain | Enables the Block Domain response action |
Entity Response Block File Hash | Enables the Block File Hash response action on file hashes |
Entity Response Block IP | Enables the Block IP response action on IP addresses |
Entity Response Confirm User As Compromised | Confirm User As Compromised |
Entity Response Disable User | Enables the Disable User response action on users |
Entity Response Dismiss User As Compromised | Dismiss User As Compromised |
Entity Response Enable User | Enables the Enable User response action on users |
Entity Response Initiate Antivirus Scan on Asset | Initiate Antivirus Scan on Asset |
Entity Response Isolate Host | Enables the Isolate Host response action on hosts |
Entity Response UnBlock Domain | Enables the UnBlock Domain response action |
Entity Response UnBlock File Hash | Enables the UnBlock File Hash response action on file hashes |
Entity Response UnBlock IP | Enables the UnBlock IP response action on IP addresses |
Entity Response UnIsolate Host | Enables the UnIsolate Host response action on hosts |
EverBridge Alert Incident | Create an EverBridge Incident based on a XDR Alert |
EverBridge Investigation Incident | Create an EverBridge Incident based on a XDR Investigation |
Freshdesk Investigation Sync | Sync Taegis investigations with Freshdesk incidents |
Freshservice Alert Ticket | Create a Freshservice Ticket based on a Taegis Alert |
Freshservice Investigation Sync | Sync Taegis investigations with Freshservice tickets |
Freshservice Investigation Ticket | Create a Freshservice Ticket based on a Taegis Investigation |
Generic Webhook | Post all inputs to a webhook URL |
Halo ITSM Investigation Synch | Synch XDR Investigations with Halo ITSM incidents |
Health Event Investigation | Create Taegis Investigations from Health Events |
Investigation CrowdStrikeFalcon Incident Sync | Sync Investigations to CrowdStrikeFalcon Incidents |
Investigation Email Notification | Send email notifications for investigations |
Investigation Email Notification with Google Gmail | Send email notifications for Investigation with Google Gmail API |
Investigation ITSM Sync | ServiceNow Investigation 1-way Sync to ITSM Incidents |
Investigation Service Now MultiTeam Sync | Investigation ServiceNow MultiTeam Sync |
Investigation SIR Sync | ServiceNow Investigation Sync to Security Incident Response |
Investigation SMAX Sync | Taegis Investigation sync to Microfocus SMAX ticket |
Investigations Email Report | Email report about Taegis Investigations |
iSensor Block | Block (shun) a specific IP address on a Secureworks iSensor |
iSensor Firewall Modification | Perform various iSensor firewall related actions |
iSensor Unblock | Unblock (unshun) a specific IP address on a Secureworks iSensor |
Jira Alert Issue | Create an Atlassian Jira Issue based on a XDR Alert |
Jira Investigation Issue | Create an Atlassian Jira Issue based on a XDR Investigation |
Jira Investigation Sync | Sync Jira issue with Security Response Investigations |
JupiterOne Investigation AWS Instance Enrichment | Enrich an investigation with AWS instance context from JupiterOne |
Look Up User Google Workspace Admin SDK API | Look up a user using Google Workspace Admin SDK API |
ManageEngine ServiceDesk Plus Alert | Playbook used to create Requests with ManageEngine Service Desk Plus from XDR Alerts |
ManageEngine ServiceDesk Plus Investigation Sync | Playbook used to sync Investigations with ManageEngine Service Desk Plus Requests |
MD ATP - Block Filehash Globally | Microsoft Defender ATP Block Filehash Globally |
MD ATP - Host Response Action | Perform various response actions against a Microsoft Defender host |
MD ATP - Isolate | Microsoft Defender ATP Isolate |
MD ATP - Single Endpoint Filehash Block | Microsoft Defender ATP Block Filehash on a Single Endpoint |
MD ATP - Undo Isolate Host | Microsoft Defender ATP Undo Isolate Host |
Microsoft Teams Notification | Send a Microsoft Teams notification via webhook |
Notifications via Google Workspace Chat | Send Taegis notifications to Google Workspace Chat webhook |
OpenAI Enrich Investigation | Enrich the key findings of an investigation via OpenAI |
Opsgenie XDR Alert | Create an Atlassian Opsgenie Alert or Incident based on a XDR Alert |
Opsgenie XDR Investigation | Create an Atlassian Opsgenie Alert or Incident based on a XDR Investigation |
PagerDuty Alert Event | Send a PagerDuty Event based on a XDR Alert |
PagerDuty Investigation Event | Send a PagerDuty Event based on a XDR Investigation |
PagerDuty Investigation Sync | Sync PagerDuty incidents with Security Response Investigations |
Palo Alto Networks PAN-OS Block/Unblock | Block and unblock IP/CIDR or Domain in Palo Alto Networks PAN-OS |
RC - Isolate | Red Cloak Isolate |
RC - Undo Isolate Host | Red Cloak Undo Isolate Host |
RC Disable Process Disruption | Disable a disrupt process (block filehash) rule in Red Cloak Endpoint Agent |
RC Process Disruption | Disrupt process (block filehash) in Red Cloak Endpoint Agent |
Reactivate User Google Workspace Admin SDK API | Reactivate a user using Google Workspace Admin SDK API |
Salesforce Slack Notification | Send a Salesforce Slack Notification via Webhook |
SCADAfence Platform Investigation Enrichment | Enrich a Taegis Investigation with SCADAfence alert/asset details |
Send Notification Message | Send a notification message to a supported messaging platform |
Sentinel One Threat Mitigation Response Actions | Perform Threat Mitigation response actions against Taegis Alerts |
SentinelOne - Host Response Actions | Perform various response actions against a SentinelOne agent |
ServiceNow Bidirectional Investigation Sync (Inbound) | Update a Taegis Investigation based on data provided by Servicenow |
ServiceNow Bidirectional Investigation Sync (Outbound) | Sync an investigation with Servicenow utilizing Import Sets |
Suspend User Google Workspace Admin SDK API | Suspend a user using Google Workspace Admin SDK API |
Taegis Agent - Isolate | Taegis Agent Isolate |
Taegis Agent - Restore | Taegis Agent Restore from isolation |
Update Investigation with Network Flow Summary | Update Investigation with Network Flow Summary |
Update ServiceNow User | Generic ServiceNow user update |
Update Taegis Investigation | Allow for updating an existing Taegis investigation |
xMatters Webhook Alert | Trigger an xMatters event from an Alert via Webhook |
xMatters Webhook Investigation | Trigger an xMatters event from an Investigation via Webhook |
Zendesk Investigation Sync | Sync XDR Investigations with Zendesk incidents |