Supported Playbooks
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.
XDR supports numerous integrations, including but not limited to:
| Playbook Title | Description |
|---|---|
| 4me ITSM Alert | Create a 4me Problem or Request based on a XDR Alert |
| 4me ITSM Investigation | Create a 4me Problem or Request based on a XDR Investigation |
| 4me ITSM Investigation Sync | Sync 4me Problem or Request with Security Response Investigations |
| AD Change Password At Log On | Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Deactivate Change Password At Log On | Deactivate Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Disable User | Disable User account for an AD using the LDAP(S) Protocol |
| AD Enable User | Enable User account for an AD using the LDAP(S) Protocol |
| AD/LDAP Change Password | Change Password for an AD/LDAP user using the LDAP(S) Protocol |
| AD/LDAP Look Up User | Look up an AD/LDAP user using the LDAP(S) Protocol |
| Alert Email Notification | Send email notifications for alerts |
| Alert Email Notification with Google Gmail | Send email notifications for alerts with Google Gmail API |
| Alert ITSM Sync | ServiceNow Alert to ITSM Incident Sync |
| Alert SIR Sync | ServiceNow Alert to Security Incident Sync |
| Amazon Web Services Disable User Access Keys | Amazon Web Services Disable User Access Keys |
| Amazon Web Services Disable User Login | Disable AWS Console login for a specific user |
| Amazon Web Services Disable User MFA Devices | Remove MFA Device for a specific AWS user |
| Amazon Web Services Enable User Access Keys | Amazon Web Services Enable User Access Keys |
| Amazon Web Services Enable User Login | AWS Console create a new login profile with a predefined password for a specific user |
| Amazon Web Services Look Up User | Look up an Amazon Web Services User |
| Amazon Web Services Update IP Set | Block/unblock an IP address in AWS WAF |
| Automated Action AD Change Password At Log On | Automatically change password at log on for on all users in an alert using using the LDAP(S) Protocol |
| Automated Action AD Disable User | Automatically disable all users in an alert using using the LDAP(S) Protocol |
| Automated Action Azure AD Disable User | Automatically disable all users in an alert using the Microsoft Graph API |
| Automated Action Azure AD Force Password Reset | Automatically force a password reset on all users in an alert using the Microsoft Graph API |
| Automated Action Isolate Host Red Cloak | Automated Action Isolate Host Red Cloak |
| Automated Action Isolate Host Taegis Agent | Automated Action Isolate Host Taegis Agent |
| Azure AD Disable User | Disable Azure AD user account using the Microsoft Graph API |
| Azure AD Enable User | Enable Azure AD user account using the Microsoft Graph API |
| Azure AD Force Password Reset | Force a password reset on an Azure AD user account using the Microsoft Graph API |
| Azure AD Look Up User | Look up an Azure AD user using the Microsoft Graph API |
| Azure OpenAI Enrich Investigation | Enrich the key findings of an investigation via Azure OpenAI |
| Carbon Black EDR - Block Filehash | Carbon Black EDR (Endpoint Detection and Response) Block Filehash |
| Carbon Black EDR - Unblock Filehash | Carbon Black EDR (Endpoint Detection and Response) Unblock Filehash |
| CB Cloud - Isolate | VMWare Carbon Black Cloud Isolate |
| CB Cloud - Undo Isolate Host | VMWare Carbon Black Cloud Undo Isolate Host |
| Change Password At Next Login Google Workspace Admin SDK API | Enable Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Change Password Google Workspace Admin SDK API | Change Password of a user using Google Workspace Admin SDK API |
| Cisco Meraki Activities | Block and unblock resources in Cisco Meraki |
| Comments To Email Notification | Send Taegis Investigation Comments via an Email |
| Comments To Mattermost Notification | Send Taegis Investigation Comments To Mattermost |
| Comments To Microsoft Teams Notification | Send Taegis Investigation Comments To Microsoft Teams |
| Comments To Salesforce Slack Notification | Send Taegis Investigation Comments To Salesforce Slack |
| Comments To ServiceNow WorkNote | Send Taegis Investigation Comments To ServiceNow WorkNote |
| Cortex XSOAR Investigation Sync | Sync XDR investigations to Cortex XSOAR incidents |
| Create Investigations from Alerts | Create XDR Investigations from Alerts |
| Create ServiceNow User | Create ServiceNow User |
| CrowdStrike Falcon Endpoint - Isolate | CrowdStrike Falcon Endpoint Protection Isolate |
| CrowdStrike Falcon Endpoint - Undo Isolate | CrowdStrike Falcon Endpoint Protection Undo Isolate Host |
| Deactivate Change Password At Next Login Google Workspace Admin SDK API | Deactivate Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Deactivate ServiceNow User | Deactivate ServiceNow User |
| Endpoint Tagging | This playbook can be used to add/remove tags to any number of endpoints. |
| Endpoint Tagging - Multi | Allow running Endpoint Tagging playbooks multiple times for different criteria |
| Entity Response Block Domain | Enables the Block Domain response action |
| Entity Response Block File Hash | Enables the Block File Hash response action on file hashes |
| Entity Response Block IP | Enables the Block IP response action on IP addresses |
| Entity Response Confirm User As Compromised | Confirm User As Compromised |
| Entity Response Disable User | Enables the Disable User response action on users |
| Entity Response Dismiss User As Compromised | Dismiss User As Compromised |
| Entity Response Enable User | Enables the Enable User response action on users |
| Entity Response Initiate Antivirus Scan on Asset | Initiate Antivirus Scan on Asset |
| Entity Response Isolate Host | Enables the Isolate Host response action on hosts |
| Entity Response UnBlock Domain | Enables the UnBlock Domain response action |
| Entity Response UnBlock File Hash | Enables the UnBlock File Hash response action on file hashes |
| Entity Response UnBlock IP | Enables the UnBlock IP response action on IP addresses |
| Entity Response UnIsolate Host | Enables the UnIsolate Host response action on hosts |
| EverBridge Alert Incident | Create an EverBridge Incident based on a XDR Alert |
| EverBridge Investigation Incident | Create an EverBridge Incident based on a XDR Investigation |
| Freshdesk Investigation Sync | Sync Taegis investigations with Freshdesk incidents |
| Freshservice Alert Ticket | Create a Freshservice Ticket based on a Taegis Alert |
| Freshservice Investigation Sync | Sync Taegis investigations with Freshservice tickets |
| Freshservice Investigation Ticket | Create a Freshservice Ticket based on a Taegis Investigation |
| Generic Webhook | Post all inputs to a webhook URL |
| Halo ITSM Investigation Synch | Synch XDR Investigations with Halo ITSM incidents |
| Health Event Investigation | Create Taegis Investigations from Health Events |
| Investigation CrowdStrikeFalcon Incident Sync | Sync Investigations to CrowdStrikeFalcon Incidents |
| Investigation Email Notification | Send email notifications for investigations |
| Investigation Email Notification with Google Gmail | Send email notifications for Investigation with Google Gmail API |
| Investigation ITSM Sync | ServiceNow Investigation 1-way Sync to ITSM Incidents |
| Investigation Service Now MultiTeam Sync | Investigation ServiceNow MultiTeam Sync |
| Investigation SIR Sync | ServiceNow Investigation Sync to Security Incident Response |
| Investigation SMAX Sync | Taegis Investigation sync to Microfocus SMAX ticket |
| Investigations Email Report | Email report about Taegis Investigations |
| iSensor Block | Block (shun) a specific IP address on a Secureworks iSensor |
| iSensor Firewall Modification | Perform various iSensor firewall related actions |
| iSensor Unblock | Unblock (unshun) a specific IP address on a Secureworks iSensor |
| Jira Alert Issue | Create an Atlassian Jira Issue based on a XDR Alert |
| Jira Investigation Issue | Create an Atlassian Jira Issue based on a XDR Investigation |
| Jira Investigation Sync | Sync Jira issue with Security Response Investigations |
| JupiterOne Investigation AWS Instance Enrichment | Enrich an investigation with AWS instance context from JupiterOne |
| Look Up User Google Workspace Admin SDK API | Look up a user using Google Workspace Admin SDK API |
| ManageEngine ServiceDesk Plus Alert | Playbook used to create Requests with ManageEngine Service Desk Plus from XDR Alerts |
| ManageEngine ServiceDesk Plus Investigation Sync | Playbook used to sync Investigations with ManageEngine Service Desk Plus Requests |
| MD ATP - Block Filehash Globally | Microsoft Defender ATP Block Filehash Globally |
| MD ATP - Host Response Action | Perform various response actions against a Microsoft Defender host |
| MD ATP - Isolate | Microsoft Defender ATP Isolate |
| MD ATP - Single Endpoint Filehash Block | Microsoft Defender ATP Block Filehash on a Single Endpoint |
| MD ATP - Undo Isolate Host | Microsoft Defender ATP Undo Isolate Host |
| Microsoft Teams Notification | Send a Microsoft Teams notification via webhook |
| Notifications via Google Workspace Chat | Send Taegis notifications to Google Workspace Chat webhook |
| OpenAI Enrich Investigation | Enrich the key findings of an investigation via OpenAI |
| Opsgenie XDR Alert | Create an Atlassian Opsgenie Alert or Incident based on a XDR Alert |
| Opsgenie XDR Investigation | Create an Atlassian Opsgenie Alert or Incident based on a XDR Investigation |
| PagerDuty Alert Event | Send a PagerDuty Event based on a XDR Alert |
| PagerDuty Investigation Event | Send a PagerDuty Event based on a XDR Investigation |
| PagerDuty Investigation Sync | Sync PagerDuty incidents with Security Response Investigations |
| Palo Alto Networks PAN-OS Block/Unblock | Block and unblock IP/CIDR or Domain in Palo Alto Networks PAN-OS |
| RC - Isolate | Red Cloak Isolate |
| RC - Undo Isolate Host | Red Cloak Undo Isolate Host |
| RC Disable Process Disruption | Disable a disrupt process (block filehash) rule in Red Cloak Endpoint Agent |
| RC Process Disruption | Disrupt process (block filehash) in Red Cloak Endpoint Agent |
| Reactivate User Google Workspace Admin SDK API | Reactivate a user using Google Workspace Admin SDK API |
| Salesforce Slack Notification | Send a Salesforce Slack Notification via Webhook |
| SCADAfence Platform Investigation Enrichment | Enrich a Taegis Investigation with SCADAfence alert/asset details |
| Send Notification Message | Send a notification message to a supported messaging platform |
| Sentinel One Threat Mitigation Response Actions | Perform Threat Mitigation response actions against Taegis Alerts |
| SentinelOne - Host Response Actions | Perform various response actions against a SentinelOne agent |
| ServiceNow Bidirectional Investigation Sync (Inbound) | Update a Taegis Investigation based on data provided by Servicenow |
| ServiceNow Bidirectional Investigation Sync (Outbound) | Sync an investigation with Servicenow utilizing Import Sets |
| Suspend User Google Workspace Admin SDK API | Suspend a user using Google Workspace Admin SDK API |
| Taegis Agent - Isolate | Taegis Agent Isolate |
| Taegis Agent - Restore | Taegis Agent Restore from isolation |
| Update Investigation with Network Flow Summary | Update Investigation with Network Flow Summary |
| Update ServiceNow User | Generic ServiceNow user update |
| Update Taegis Investigation | Allow for updating an existing Taegis investigation |
| xMatters Webhook Alert | Trigger an xMatters event from an Alert via Webhook |
| xMatters Webhook Investigation | Trigger an xMatters event from an Investigation via Webhook |
| Zendesk Investigation Sync | Sync XDR Investigations with Zendesk incidents |