xsoar.pan.dev
Open in
urlscan Pro
199.36.158.100
Public Scan
Submitted URL: https://xsoar.pan.dev/docs/reference/integrations/microsoft-teams#troubleshooting
Effective URL: https://xsoar.pan.dev/docs/reference/integrations/microsoft-teams
Submission: On May 24 via api from US — Scanned from DE
Effective URL: https://xsoar.pan.dev/docs/reference/integrations/microsoft-teams
Submission: On May 24 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to main content
⭐️ If you like Cortex XSOAR Content, give it a star on GitHub! ⭐
×
MenuDeveloper DocsArticlesReferenceMarketplace
Products
* PAN-OS
* Cortex Data Lake
* Cortex XSOAR
* Prisma
Partners
* Why Cortex XSOAR?
* Become a Partner
* Premium Packs
* Private Offer
* Adopt-a-Pack
* Pack Certification
* Office Hours
* Sign Up Now
Blog
🌜
🌞
SearchK
* Developer Docs
* Articles
* Reference
* Marketplace
* Products
* PAN-OS
* Cortex Data Lake
* Cortex XSOAR
* Prisma
* Partners
* Why Cortex XSOAR?
* Become a Partner
* Premium Packs
* Private Offer
* Adopt-a-Pack
* Pack Certification
* Office Hours
* Sign Up Now
* Blog
*
Menu
* Index
* Packs
* Change Management
* Cortex Xpanse Pack
* Email Communication
* Endpoint Malware Investigation - Generic V2
* Ingesting Incidents
* Integrations and Incidents Health Check
* Malware Investigation and Response
* MITRE ATT&CK - Courses of Action
* Palo Alto Networks Cortex XDR - Investigation and Response
* PAN-OS Policy Optimizer
* Phishing Alerts
* Phishing Campaign
* Prisma Cloud
* QRadar
* Ransomware
* Rapid Breach Response
* Shift Management
* System Diagnostics and Health Check
* Windows Forensics
* XSOAR CI/CD
* XSOAR Content Update Notifications
* Integrations
* 1Touch.io's Inventa Connector
* Abnormal Security
* Abnormal Security Event Collector
* Absolute
* abuse.ch SSL Blacklist Feed
* AbuseIPDB
* Acalvio ShadowPlex
* Accenture CTI (Deprecated)
* Accessdata (Deprecated)
* ACTI Feed (Deprecated)
* ACTI Indicator Feed
* ACTI Indicator Query
* ACTI Vulnerability Query
* Active Directory Authentication
* Active Directory Hygiene
* Active Directory Query v2
* ActiveMQ
* Aella Star Light
* Agari Phishing Defense
* Aha
* Akamai WAF
* Akamai WAF SIEM
* Alexa Rank Indicator (Deprecated)
* Alexa Rank Indicator v2 (Deprecated)
* Alibaba Action Trail Event Collector
* AlienVault OTX TAXII Feed
* AlienVault OTX v2
* AlienVault Reputation Feed
* AlienVault USM Anywhere
* AlphaSOC Network Behavior Analytics
* AlphaSOC Wisdom
* AlphaVantage
* Amazon DynamoDB
* AMP
* Analyst1
* Anomali Match
* Anomali ThreatStream (Deprecated)
* Anomali ThreatStream v2 (Deprecated)
* Anomali ThreatStream v3
* Ansible ACME
* Ansible Alibaba Cloud
* Ansible Azure
* Ansible Cisco IOS
* Ansible Cisco NXOS
* Ansible DNS
* Ansible HCloud
* Ansible Kubernetes
* Ansible Microsoft Windows
* Ansible OpenSSL
* Ansible Tower
* Ansible VMware
* ANY.RUN
* APIVoid
* appNovi
* Arcanna.AI
* ArcSight ESM v2
* ArcSight Logger
* ArcusTeam
* Arduino
* ARIA Packet Intelligence
* Arkime
* Armis
* Armorblox
* Atlassian Confluence Cloud
* Atlassian Confluence Server
* Atlassian IAM
* Atlassian Jira v2
* Atlassian Jira v3
* AttackIQ Platform
* Attivo Botsink
* AutoFocus Daily Feed (Deprecated)
* AutoFocus Feed
* AutoFocus Tags Feed (Deprecated)
* Automox
* Awake Security
* AWS - AccessAnalyzer
* AWS - ACM
* AWS - CloudTrail
* AWS - CloudWatchLogs
* AWS - EC2
* AWS - GuardDuty
* AWS - GuardDuty Event Collector
* AWS - IAM (user lifecycle management)
* AWS - Identity and Access Management
* AWS - Lambda
* AWS - Route53
* AWS - S3
* AWS - Security Hub
* AWS - SNS
* AWS - SQS
* AWS Feed
* AWS Network Firewall
* AWS Sagemaker
* Aws Secrets Manager
* AWS Security Hub Event Collector
* AWS Simple Notification Service (AWS SNS)
* AWS-WAF
* Axonius
* Azure Active Directory Applications
* Azure Active Directory Groups
* Azure Active Directory Identity And Access
* Azure Active Directory Identity Protection (Deprecated)
* Azure Active Directory Users
* Azure AD Connect Health Feed
* Azure Compute v2
* Azure Data Explorer
* Azure Feed
* Azure Firewall
* Azure Key Vault
* Azure Kubernetes Services
* Azure Log Analytics
* Azure Network Security Groups
* Azure Risky Users
* Azure SQL Management
* Azure Storage Container
* Azure Storage FileShare
* Azure Storage Management
* Azure Storage Queue
* Azure Storage Table
* Azure Web Application Firewall
* AzureDevOps
* Bambenek Consulting Feed
* Barracuda Reputation Block List (BRBL)
* Bastille Networks
* BeyondTrust Password Safe
* BigFix
* Binalyze AIR
* Bitbucket
* BitcoinAbuse Feed
* BitDam
* BitSight for Security Performance Management
* Blocklist_de Feed
* Bluecat Address Manager
* Blueliv ThreatCompass
* Blueliv ThreatContext
* BMC Discovery
* BMC Helix ITSM
* BMC Helix Remedyforce
* BMC Remedy AR
* Bonusly
* Box (Deprecated)
* Box Event Collector
* Box v2
* BreachRx
* BruteForceBlocker Feed
* C2sec irisk
* Cado Response
* Camlytics
* Carbon Black Endpoint Standard v2
* Carbon Black Live Response Cloud
* Censys v2
* Centreon
* Centrify Vault
* Check Point Dome9 (CloudGuard)
* Check Point Firewall (Deprecated)
* Check Point Threat Emulation (SandBlast)
* CheckPhish
* CheckPoint Firewall v2
* Cherwell
* Chronicle
* CimTrak - System Integrity Assurance
* CIRCL
* CircleCI
* CIRCLEHashlookup
* Cisco AMP (Deprecated)
* Cisco AMP v2
* Cisco ASA
* Cisco Email Security Appliance (IronPort) (Deprecated)
* Cisco ESA
* Cisco Firepower
* Cisco ISE
* Cisco Meraki
* Cisco Secure Cloud Analytics (Stealthwatch Cloud)
* Cisco Secure Malware Analytics (Threat Grid) v2
* Cisco Secure Malware Analytics Feed
* Cisco Secure Network Analytics (Stealthwatch)
* Cisco Security Management Appliance
* Cisco Threat Grid (Deprecated)
* Cisco Umbrella Cloud Security
* Cisco Umbrella Enforcement
* Cisco Umbrella Investigate
* Cisco Umbrella Reporting
* Cisco Webex Feed
* Cisco Webex Teams
* Cisco WSA v2
* CiscoEmailSecurity (Beta) (Deprecated)
* CiscoWSA (Deprecated)
* Clarizen IAM
* Claroty
* Cloaken
* CloudConvert
* Cloudflare Feed
* Cloudflare WAF
* CloudShare (Beta)
* CloudShark
* Code42
* Cofense Feed
* Cofense Intelligence (Deprecated)
* Cofense Intelligence v2
* Cofense Triage (Deprecated)
* Cofense Triage v2
* Cofense Triage v3
* Cofense Vision
* Cognni
* CohesityHelios
* ConcentricAI
* Confluera
* Coralogix
* Core Lock
* Core REST API
* Cortex Attack Surface Management
* Cortex Data Lake XSOAR Connector
* Cortex XDR - IOC
* Cortex XDR - XQL Query Engine
* Cortex Xpanse
* Cortex Xpanse
* CounterCraft Deception Director
* CounterTack
* Covalence For Security Providers
* Covalence Managed Security
* Create Test Incidents
* CrowdSec
* CrowdStrike Falcon
* CrowdStrike Falcon Intel (Deprecated)
* CrowdStrike Falcon Intel Feed Actors
* CrowdStrike Falcon Intel v2
* CrowdStrike Falcon Intelligence Sandbox
* CrowdStrike Falcon Sandbox (Deprecated)
* CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis)
* CrowdStrike Falcon Streaming v2
* CrowdStrike Indicator Feed
* CrowdStrike Malquery
* CrowdStrike OpenAPI (Beta)
* Cryptocurrency
* Cryptosim
* CSV Feed
* CTIX v3
* Cuckoo Sandbox
* CustomIndicatorDemo
* CVE Search v2
* Cyber Triage
* CyberArk AIM (Deprecated)
* CyberArk AIM v2
* CyberArk Identity Event Collector
* CyberArk PAS
* CyberChef
* Cybereason
* Cyberint
* Cyberpion
* Cybersixgill Actionable Alerts
* Cybersixgill DVE Enrichment
* Cybersixgill DVE Feed Threat Intelligence (Deprecated)
* Cybersixgill DVE Feed Threat Intelligence v2
* CyberTotal
* Cyble Events
* Cyble Threat Intel
* CyCognito
* CyCognito Feed
* Cyjax Feed
* Cylance Protect v2
* Cymptom
* Cymulate
* Cymulate v2
* Cyren Inbox Security
* Cyren Threat InDepth Threat Intelligence Feed
* Cyware Threat Intelligence eXchange
* Darktrace (Deprecated)
* Darktrace Admin
* Darktrace AI Analyst
* Darktrace Model Breaches
* Datadog Cloud SIEM
* Dataminr Pulse
* DB2
* DeCYFIR
* Deep Instinct
* DeepInstinct v3
* DeepL
* DeHashed
* DelineaDSV
* DelineaSS
* Dell Secureworks
* Demisto Lock
* Demisto REST API (Deprecated)
* Devo (Deprecated)
* Devo v2
* DHS Feed
* DHS Feed v2
* Digital Defense FrontlineVM
* Digital Guardian
* Digital Shadows
* DNSOverHttps
* dnstwist
* Docker Engine API
* DomainTools
* DomainTools Iris
* Dragos Worldview
* Drift
* Dropbox Event Collector
* Druva Ransomware Response
* DShield Feed
* Duo
* DUO Admin
* Duo Event Collector
* EasyVista
* EclecticIQ Platform (Deprecated)
* EclecticIQ Platform v2
* Edgescan
* EDL Monitor
* Elasticsearch Feed
* Elasticsearch v2
* EmailRep.io
* Endace
* Envoy IAM
* EWS Extension Online Powershell v2 (Deprecated)
* EWS Extension Online Powershell v3
* EWS Mail Sender (Deprecated)
* EWS O365
* EWS v2
* Exabeam
* ExceedLMS IAM
* Exchange 2016 Compliance Search (Deprecated)
* Exodus Intelligence Vulnerabilities
* Expanse (Deprecated)
* Expanse Expander Feed
* Export Indicators Service (Deprecated)
* Exterro FTK
* ExtraHop Reveal(x)
* F5 Application Security Manager (WAF)
* F5 firewall
* F5 LTM
* F5 Silverline
* FalconHost (Deprecated)
* Farsight DNSDB
* Farsight DNSDB v2
* Fastly Feed
* Feodo Tracker IP Blocklist Feed
* Fidelis EDR
* Fidelis Elevate Network
* FileOrbis
* FireEye (AX Series)
* FireEye Central Management
* FireEye Detection on Demand
* FireEye Email Security
* FireEye Endpoint Security (HX) v2
* FireEye ETP
* FireEye Feed
* FireEye Helix
* FireEye HX (Deprecated)
* FireEye HX Event Collector
* FireEye NX
* FireMon Security Manager
* Flashpoint
* Flashpoint Feed
* Forcepoint
* Forescout CounterACT
* Forescout EyeInspect
* Fortanix DSM
* FortiAuthenticator
* FortiGate
* FortiManager
* FortiSandbox
* FortiSIEM
* FortiSIEM v2
* Fortiweb VM
* FraudWatch
* Freshdesk
* Freshworks Freshservice
* G Suite Auditor
* G Suite Security Alert Center
* Gamma
* GCenter
* GCP Whitelist Feed (Deprecated)
* GCP-IAM
* Generic Export Indicators Service
* Generic SQL
* Generic Webhook
* Genians
* Gigamon ThreatINSIGHT
* GitHub
* Github Event Collector
* GitHub IAM
* GitLab (Deprecated)
* GitLab Event Collector
* GitLab v2
* GLIMPS Detect
* GLPI
* Gmail
* Gmail Single User
* Google BigQuery
* Google Calendar
* Google Cloud Compute
* Google Cloud Functions
* Google Cloud Logging
* Google Cloud Pub/Sub
* Google Cloud SCC
* Google Cloud Storage
* Google Cloud Translate
* Google Docs
* Google Dorking
* Google Drive
* Google IP Ranges Feed
* Google Key Management Service
* Google Kubernetes Engine
* Google Maps
* Google Resource Manager
* Google Safe Browsing (Deprecated)
* Google Safe Browsing v2
* Google Sheets
* Google Vault
* Google Vision AI
* Google Workspace Admin
* GoogleApps API and G Suite
* Gophish
* Grafana
* GraphQL
* Graylog
* GreatHorn
* GreyNoise
* GreyNoise Community
* Group-IB THF Polygon
* Group-IB Threat Intelligence & Attribution
* Group-IB Threat Intelligence & Attribution Feed
* GRR
* GuardiCore (Deprecated)
* GuardiCore v2
* Gurucul-GRA
* HackerOne
* Hackuity
* HarfangLab EDR
* HashiCorp Vault
* Hatching Triage
* Have I Been Pwned? v2
* HelloWorld
* HelloWorld Feed
* HelloWorldPremium
* HostIo
* HPE Aruba ClearPass
* Humio
* HYAS Insight
* HYAS Protect
* Hybrid Analysis (Deprecated)
* IBM QRadar (Deprecated)
* IBM QRadar v2 (Deprecated)
* IBM QRadar v3
* IBM Resilient Systems
* IBM X-Force Exchange v2
* iboss
* Icebrg
* iDefense (Deprecated)
* iLert
* illuminate (Deprecated)
* Illumio Core
* IllusiveNetworks
* Image OCR
* Imperva Incapsula
* Imperva WAF
* Indeni
* Indicators detection
* Infinipoint
* InfoArmor VigilanteATI
* Infoblox
* Infoblox BloxOne Threat Defense
* Infoblox BloxOne Threat Defense Event Collector
* Infocyte
* Intel471 Actors Feed (Deprecated)
* Intel471 Malware Feed (Deprecated)
* Intel471 Malware Indicator Feed
* Intel471 Watcher Alerts
* Intezer v2
* IntSights (Deprecated)
* Investigation & Response
* IP-API
* ipinfo (Deprecated)
* IPinfo v2
* IPQualityScore
* ipstack
* IronDefense
* Ironscales
* Ivanti Heat
* Ja3er
* JAMF v2
* JARM
* Jask (Deprecated)
* Jira Event Collector
* Joe Security (Deprecated)
* Joe Security v2
* JSON Feed
* JSON Sample Incident Generator
* JsonWhoIs
* JWT
* Kafka v2 (Deprecated)
* Kafka v3
* Kaspersky Security Center (Beta)
* Keeper Secrets Manager
* Kenna v2
* KnowBe4 KMSAT Event Collector
* KnowBe4KMSAT (Deprecated)
* Lacework
* Lansweeper
* LastInfoSec
* Lastline v2
* LDAP Authentication
* LGTM
* LINENotify
* Linkshadow
* Linux
* Lockpath KeyLight v2
* LogPoint SIEM Integration
* LogRhythm (Deprecated)
* LogRhythmRest
* LogRhythmRest v2
* LogsignSiem
* Logz.io
* Looker
* Luminar IOCs & leaked credentials
* Lumu
* MAC Vendors
* Mail Listener v2
* Mail Sender (New)
* MailListener - POP3
* Majestic Million Feed
* Maltiverse
* MalwareBazaar
* MalwareBazaar Feed
* Malwarebytes
* Malwation AIMA
* ManageEngine PAM360
* Mandiant Advantage Feed (Deprecated)
* Mandiant Advantage Threat Intelligence
* Mandiant Automated Defense (Formerly Respond Software)
* Mantis
* Mattermost
* MaxMind GeoIP2
* McAfee Active Response
* McAfee Advanced Threat Defense
* McAfee DAM
* McAfee DXL
* McAfee ePO (Deprecated)
* McAfee ePO v2
* McAfee ESM v10 and v11 (Deprecated)
* McAfee ESM v2
* McAfee NSM (Deprecated)
* McAfee NSM v2
* McAfee Threat Intelligence Exchange (Deprecated)
* McAfee Threat Intelligence Exchange v2
* Micro Focus Service Manager
* MicroFocus SMAX
* Microsoft 365 Defender
* Microsoft Advanced Threat Analytics
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
* Microsoft Defender for Cloud Apps Event Collector
* Microsoft Defender for Endpoint
* Microsoft Defender for Endpoint Event Collector
* Microsoft Endpoint Configuration Manager
* Microsoft Endpoint Manager (Intune)
* Microsoft Graph API
* Microsoft Graph Mail Single User
* Microsoft Graph Search
* Microsoft Graph Security
* Microsoft Intune Feed
* Microsoft Management Activity API (O365 Azure Events)
* Microsoft Policy And Compliance (Audit Log)
* Microsoft Sentinel
* Microsoft Teams
* Microsoft Teams Management
* Microsoft Teams via Webhook
* Mimecast Event Collector
* Mimecast v2
* Minerva Labs Anti-Evasion Platform
* MinIO
* MISP Feed
* MISP v2 (Deprecated)
* MISP v3
* MITRE ATT&CK
* MITRE IDs Feed (Deprecated)
* MitreCaldera
* mnemonic MDR - Argus Managed Defence
* MobileIronCLOUD
* MobileIronCORE
* Moloch (Deprecated)
* MongoDB
* MongoDB Key Value Store
* MongoDB Log
* MS-ISAC
* National Vulnerability Database
* Ncurion
* Neosec
* NetBox Event Collector
* Netcraft (Deprecated)
* Netscout Arbor Edge Defense
* Netscout Arbor Sightline (Peakflow)
* Netskope (API v1)
* Netskope (API v2)
* Netskope (Deprecated)
* Netskope Event Collector
* Nexthink
* nmap
* Nozomi Networks
* NTT Cyber Threat Sensor
* NucleonCyberFeed
* Nutanix Hypervisor
* O365 - EWS - Extension (Deprecated)
* O365 - Security And Compliance - Content Search
* O365 - Security And Compliance - Content Search v2
* O365 Defender SafeLinks
* O365 Defender SafeLinks - Single User
* O365 File Management (Onedrive/Sharepoint/Teams)
* O365 Outlook Calendar
* O365 Outlook Mail (Using Graph API)
* O365 Teams (Using Graph API)
* OctoxLabs
* Office 365 Feed
* okta (Deprecated)
* Okta Event Collector
* Okta IAM
* Okta v2
* OneLogin Event Collector
* OpenAI
* OpenAi ChatGPT v3
* OpenCTI
* OpenCTI Feed 3.X (Deprecated)
* OpenCTI Feed 4.X
* OpenPhish v2
* OPNSense
* OpsGenie (Deprecated)
* Opsgenie v2 (Deprecated)
* OpsGenie v3
* OPSWAT Filescan
* OPSWAT-Metadefender v2
* Oracle Cloud Infrastructure Event Collector
* Oracle IAM
* Orca
* Orca Event Collector
* OSV
* OTRS
* Packetsled
* PagerDuty v2
* Palo Alto AutoFocus (Deprecated)
* Palo Alto Networks - Prisma Cloud Compute
* Palo Alto Networks - Prisma SASE
* Palo Alto Networks AutoFocus v2
* Palo Alto Networks Automatic SLR
* Palo Alto Networks BPA
* Palo Alto Networks Cortex (Deprecated)
* Palo Alto Networks Cortex XDR - Investigation and Response
* Palo Alto Networks Enterprise DLP
* Palo Alto Networks IoT
* Palo Alto Networks IoT 3rd Party
* Palo Alto Networks MineMeld (Deprecated)
* Palo Alto Networks PAN-OS
* Palo Alto Networks PAN-OS EDL Management (Deprecated)
* Palo Alto Networks Security Advisories (Beta)
* Palo Alto Networks Threat Vault (Deprecated)
* Palo Alto Networks Threat Vault v2
* Palo Alto Networks Traps (Deprecated)
* Palo Alto Networks WildFire Reports
* Palo Alto Networks WildFire v2
* PAN-OS Policy Optimizer (Beta)
* PassiveTotal v2
* Penfield
* Pentera
* PerceptionPoint
* Perch
* PerimeterX BotDefender
* Phish.AI (Deprecated)
* PhishER
* PhishLabs IOC
* PhishLabs IOC DRP
* PhishLabs IOC EIR
* PhishTank v2
* PhishUp
* Picus Security
* Picus Security
* PiHole
* PingCastle
* PingOne
* Plain Text Feed
* PolySwarm
* Popular News
* Postmark Spamcheck
* PowerShell Remoting (Beta)
* Preempt (Deprecated)
* Prisma Access
* Prisma Access Egress IP feed
* Prisma Cloud (RedLock) (Deprecated)
* Prisma Cloud v2
* PrismaCloud IAM
* Proofpoint Feed
* Proofpoint Protection Server (Deprecated)
* Proofpoint Protection Server v2
* Proofpoint TAP v2
* Proofpoint Threat Response (Beta)
* Proofpoint Threat Response Event Collector
* ProtectWise
* Public DNS Feed
* Pulsedive
* Qintel PMI
* Qintel QSentry
* Qintel QWatch
* QR Code Reader - goqr.me
* QSS
* Qualys FIM
* Qualys v2
* Query.AI
* Quest KACE Systems Management Appliance (Beta)
* QutteraWebsiteMalwareScanner
* RaDark
* Rapid7 - Threat Command (IntSights)
* Rapid7 InsightIDR
* Rapid7 InsightVM
* Rapid7 InsightVM Cloud
* Rasterize
* Reco
* Recorded Future (Deprecated)
* Recorded Future - Playbook Alerts
* Recorded Future Attack Surface Intelligence
* Recorded Future Event Collector
* Recorded Future Identity
* Recorded Future RiskList Feed
* Recorded Future v2
* Red Canary
* Remedy On-Demand
* Remote Access (Deprecated)
* RemoteAccess v2
* ReversingLabs A1000 (Deprecated)
* ReversingLabs A1000 v2
* ReversingLabs Ransomware and Related Tools Feed
* ReversingLabs TitaniumCloud (Deprecated)
* ReversingLabs TitaniumCloud v2
* ReversingLabs TitaniumScale
* RiskIQ Digital Footprint
* RiskSense
* RSA Archer (Deprecated)
* RSA Archer v2
* RSA NetWitness Endpoint
* RSA NetWitness Packets and Logs
* RSA NetWitness Security Analytics
* RSA NetWitness v11.1 (Deprecated)
* RSANetWitness v11.5
* RSS Feed
* RST Cloud - Threat Feed API
* RTIR
* Rubrik Radar
* Rundeck
* RunZero
* RunZero Event Collector
* SaaS Security
* SaaS Security Event Collector
* SafeBreach (Deprecated)
* SafeBreach v2
* Safewalk Management
* Safewalk Reports
* SailPoint IdentityIQ
* SailPoint IdentityNow
* Salesforce
* Salesforce Event Collector
* Salesforce Fusion IAM
* Salesforce IAM
* Salesforce v2
* SAML 2.0
* SAML 2.0 - ADFS as IdP
* SAML 2.0 - Okta as IdP
* SAML 2.0 - PingOne as IdP
* SAP - IAM
* SCADAfence CNM
* Screenshot Machine
* SecBI
* SecneurX Analysis
* SecneurX Threat Feeds
* Security Intelligence Services Feed
* SecurityAdvisor (Deprecated)
* SecurityScorecard
* SecurityTrails
* Securonix
* SEKOIAIntelligenceCenter
* SendGrid
* SentinelOne Event Collector
* SentinelOne v2
* Sepio
* Server Message Block (SMB) (Deprecated)
* Server Message Block (SMB) v2
* Service Desk Plus
* Service Desk Plus (On-Premise) (Deprecated)
* ServiceNow (Deprecated)
* ServiceNow CMDB
* ServiceNow IAM
* ServiceNow v2
* ShiftLeft CORE
* Shodan v2
* Signal Sciences WAF
* Silverfort
* Simple SFTP
* Single Connect
* Sixgill DarkFeed Enrichment
* Sixgill DarkFeed Threat Intelligence
* Skyformation (Deprecated)
* Skyhigh Security
* Slack Event Collector
* Slack IAM
* Slack v2 (Deprecated)
* Slack v3
* SlashNext Phishing Incident Response
* SMIME Messaging
* Smokescreen IllusionBLACK
* SNDBOX (Deprecated)
* Snort IP Blocklist Feed
* Snowflake
* SOCRadar Incidents
* SOCRadar Threat Feed
* SOCRadar ThreatFusion
* SolarWinds
* Sophos Central
* Sophos Firewall
* Spamcop
* Spamhaus Feed
* SplunkPy
* SplunkPy Prerelease (Beta)
* SpyCloud
* Stairwell Inception
* Starter Base Integration - Name the integration as it will appear in the
XSOAR UI
* Sumo Logic Cloud SIEM
* SumoLogic
* Symantec Advanced Threat Protection (Deprecated)
* Symantec Blue Coat Content and Malware Analysis (Beta)
* Symantec Data Loss Prevention (Deprecated)
* Symantec Data Loss Prevention v2
* Symantec Endpoint Detection and Response (EDR) - On Prem
* Symantec Endpoint Protection v2
* Symantec Managed Security Services
* Symantec Management Center
* Symantec Messaging Gateway
* Synapse
* SysAid
* Syslog (Deprecated)
* Syslog Sender
* Syslog v2
* TaegisXDR
* Talos Feed
* Tanium (Deprecated)
* Tanium Threat Response
* Tanium Threat Response v2
* Tanium v2
* TAXII 2 Feed
* TAXII Feed
* TAXII Server
* TAXII2 Server
* Team Cymru
* TeamViewer Event Collector
* Tenable.io
* Tenable.io Event Collector
* Tenable.sc
* Thales SafeNet Trusted Access
* Thales SafeNet Trusted Access Event Collector
* TheHive Project
* Thinkst Canary
* ThousandEyes
* Threat Crowd v2 (Deprecated)
* ThreatConnect (Deprecated)
* ThreatConnect Feed
* ThreatConnect v2 (Deprecated)
* ThreatConnect v3
* ThreatExchange (Deprecated)
* ThreatExchange v2
* ThreatMiner
* ThreatQ v2
* ThreatX
* Thycotic (Deprecated)
* ThycoticDSV (Deprecated)
* Tidy
* TitaniamProtect
* TOPdesk
* Trello
* Trend Micro Apex One
* Trend Micro Cloud App Security
* Trend Micro Deep Security
* Trend Micro Vision One
* Trend Micro Vision One V3.
* Tripwire
* TruSTAR (Deprecated)
* TruSTAR v2
* Trustwave Secure Email Gateway
* TrustwaveFusion
* Tufin
* Twilio
* Twinwave
* Twitter (Deprecated)
* Twitter v2
* TwitterIOCHunter Feed
* UBIRCH
* UltraMSG
* Unisys Stealth
* Unit 42 ATOMs Feed
* Unit 42 Feed (Deprecated)
* Unit 42 Intel Objects Feed
* Uptycs
* URLhaus
* URLhaus Feed
* urlscan.io
* USTA
* Varonis Data Security Platform
* Vectra (Deprecated)
* Vectra AI Event Collector
* Vectra Detect
* Vectra v2 (Deprecated)
* Venafi
* Versa Director
* Vertica
* VirusTotal (API v3)
* VirusTotal (Deprecated)
* VirusTotal - Premium (API v3)
* VirusTotal - Private API (Deprecated)
* VirusTotal Livehunt Feed
* VirusTotal Retrohunt Feed
* VMRay
* VMware
* VMware Carbon Black App Control v2
* VMware Carbon Black EDR (Deprecated)
* VMware Carbon Black EDR (Live Response API)
* VMware Carbon Black EDR v2
* VMware Carbon Black Endpoint Standard (Deprecated)
* VMware Carbon Black Enterprise EDR
* VMware Workspace ONE UEM (AirWatch MDM)
* VulnDB
* WALLIX Bastion
* Web File Repository
* WhatIsMyBrowser
* Whois
* Windows Remote Management (Beta)
* WithSecure Event Collector
* Wiz
* Wolken ITSM
* WootCloud
* Wordpress
* Workday
* Workday IAM
* Workday IAM Event Generator (Beta)
* XM Cyber
* xMatters
* XSOAR EDL Checker
* XSOAR Mirroring
* XSOAR Storage
* XSOAR-Web-Server
* Xsoar_Utils
* Zabbix
* Zendesk v2
* ZeroFox
* Zerohack XDR
* ZeroTrustAnalyticsPlatform
* Zimperium
* Zoom
* Zoom Event Collector
* Zoom Feed
* Zoom_IAM
* Zscaler Internet Access
* Playbooks
* 3CXDesktopApp Supply Chain Attack
* Abuse Inbox Management Detect & Respond
* Abuse Inbox Management Protection
* Access Investigation - Generic
* Access Investigation - Generic - NIST
* Access Investigation - QRadar
* Accessdata: Dump memory for malicious process
* Account Enrichment
* Account Enrichment - Generic
* Account Enrichment - Generic v2
* Account Enrichment - Generic v2.1
* Acquire And Analyze Host Forensics
* ACTI Block High Severity Indicators
* ACTI Block Indicators from an Incident
* ACTI Create Report-Indicator Associations
* ACTI Incident Enrichment
* ACTI Indicator Enrichment
* ACTI Report Enrichment
* ACTI Vulnerability Enrichment
* Active Directory - Get User Manager Details
* Active Directory Investigation
* Add Employees to Departing Employee Watchlist
* Add Employees to New Hire Watchlist
* Add Indicator to Miner - Palo Alto MineMeld
* Add IOCs - Cofense Vision
* Add Unknown Indicators To Inventory - RiskIQ Digital Footprint
* Agari Message Remediation - Agari Phishing Defense
* Akamai WAF - Activate Network Lists
* Alibaba ActionTrail - multiple unauthorized action attempts detected by a
user
* Allow IP - Okta Zone
* Analyze URL - ReversingLabs TitaniumCloud
* Anomali Enterprise Forensic Search
* appNovi-MAC-Address-Lookup
* Arcanna-Generic-Investigation
* Arcanna-Generic-Investigation-V2-With-Feedback
* Archer initiate incident
* Arcsight - Get events related to the Case
* Armis Alert Enrichment
* Armorblox Needs Review
* Assess Wiz Issues
* Assign Active Incidents to Next Shift
* Assign Active Incidents to Next Shift V2
* ATD - Detonate File
* Auto Add Assets - RiskIQ Digital Footprint
* Auto Update Or Remove Assets - RiskIQ Digital Footprint
* Autofocus - File Indicators Hunting
* Autofocus - Hunting And Threat Detection
* Autofocus - Traffic Indicators Hunting
* Autofocus Query Samples, Sessions and Tags
* AutoFocusPolling
* AWS - Enrichment
* AWS - Security Group Remediation
* AWS - Security Group Remediation v2
* AWS - Unclaimed S3 Bucket Remediation
* AWS - Unclaimed S3 Bucket Validation
* AWS IAM - User enrichment
* AWS IAM User Access Investigation
* AWS IAM User Access Investigation - Remediation
* Azure - Enrichment
* Azure - Network Security Group Remediation
* Azure Log Analytics - Query From Saved Search
* BeyondTrust Retrieve Credentials
* Block Account - Generic
* Block Account - Generic v2
* Block Domain - Cisco Stealthwatch
* Block Domain - External Dynamic List
* Block Domain - FireEye Email Security
* Block Domain - Generic
* Block Domain - Generic v2
* Block Domain - Proofpoint Threat Response
* Block Domain - Symantec Messaging Gateway
* Block Domain - Trend Micro Apex One
* Block Domain - Zscaler
* Block Email - Generic
* Block Email - Generic v2
* Block Endpoint - Carbon Black Response
* Block File - Carbon Black Response
* Block File - Cybereason
* Block File - Cylance Protect v2
* Block File - Generic
* Block File - Generic v2
* Block Indicators - Generic
* Block Indicators - Generic v2
* Block Indicators - Generic v3
* Block IOCs from CSV - External Dynamic List
* Block IP - Generic
* Block IP - Generic v2
* Block IP - Generic v3
* Block URL - Generic
* Block URL - Generic v2
* Bonusly - AutoGratitude
* BreachRx - Create Incident and get Active Tasks
* Brute Force Investigation - Generic
* Brute Force Investigation - Generic - SANS
* Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration
* Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration
* Bulk Export to SIEM - PANW IoT 3rd Party Integration
* C2SEC-Domain Scan
* Calculate Severity - 3rd-party integrations
* Calculate Severity - Critical assets
* Calculate Severity - Critical Assets v2
* Calculate Severity - Generic
* Calculate Severity - Generic v2
* Calculate Severity - GreyNoise
* Calculate Severity - Indicators DBotScore
* Calculate Severity - Standard
* Calculate Severity By Email Authenticity
* Calculate Severity By Highest DBotScore
* Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise
* Calculate Severity Highest DBotScore For Ingress Network Traffic -
GreyNoise
* Caldera Operation
* California - Breach Notification
* Carbon Black EDR Search Process
* Carbon black Protection Rapid IOC Hunting
* Carbon Black Rapid IOC Hunting
* Carbon Black Response - Unisolate Endpoint
* Case Management - Generic
* Case Management - Generic - Send On Call Notification
* Case Management - Generic - Set SLAs based on Severity
* Case Management - Generic - Start SLA Timers
* Case Management - Generic v2
* Change Management
* Check For Content Installation
* Check Incydr Status and Close XSOAR Incident
* Check Indicators For Unknown Assets - RiskIQ Digital Footprint
* Check IP Address For Whitelisting - RiskIQ Digital Footprint
* Checkpoint - Block IP - Append Group
* Checkpoint - Block IP - Custom Block Rule
* Checkpoint - Block URL
* Checkpoint - Publish&Install configuration
* Checkpoint Firewall Configuration Backup Playbook
* ChronicleAsset Investigation - Chronicle
* ChronicleAssets Investigation And Remediation - Chronicle
* CimTrak - Example - Analyze Intrusion
* CimTrak - Example - Scan Compliance By IP
* Cisco FirePower- Append network group object
* Claroty Incident
* Claroty Manage Asset CVEs
* Close Related XSOAR and Incydr Incidents
* Cloud IAM Enrichment - Generic
* Cloud IAM User Access Investigation
* Cloud IDS-IP Blacklist-GCP Firewall_Append
* Cloud IDS-IP Blacklist-GCP Firewall_Combine
* Cloud IDS-IP Blacklist-GCP Firewall_Extract
* Cloud Response - AWS
* Cloud Response - Azure
* Cloud Response - GCP
* Cloud Response - Generic
* CloudConvert - Convert File
* Cluster Report Categorization - Cofense Triage v3
* Code42 Add Departing Employee From Ticketing System
* Code42 Copy File To Ticketing System
* Code42 Exfiltration Playbook
* Code42 File Download
* Code42 File Search
* Code42 Security Alert
* Code42 Suspicious Activity Action
* Code42 Suspicious Activity Review
* Codecov Breach - Bash Uploader
* Command-Line Analysis
* Compromised Credentials Match - Flashpoint
* Configuration Setup
* Containment Plan
* Content Update Check
* Content Update Manager
* Context Polling - Generic
* Continuously Process Survey Responses
* Convert file hash to corresponding hashes
* Cortex ASM - ASM Alert
* Cortex ASM - AWS Enrichment
* Cortex ASM - Azure Enrichment
* Cortex ASM - CMDB Enrichment
* Cortex ASM - Decision
* Cortex ASM - Detect Service
* Cortex ASM - Enrichment
* Cortex ASM - Extract IP Indicator
* Cortex ASM - GCP Enrichment
* Cortex ASM - Prisma Cloud Enrichment
* Cortex ASM - Qualys Enrichment
* Cortex ASM - Rapid7 Enrichment
* Cortex ASM - Remediation
* Cortex ASM - Remediation Guidance
* Cortex ASM - Remediation Path Rules
* Cortex ASM - Service Ownership
* Cortex ASM - ServiceNow CMDB Enrichment
* Cortex ASM - SNMP Check
* Cortex ASM - Splunk Enrichment
* Cortex ASM - Tenable.io Enrichment
* Cortex ASM - Vulnerability Management Enrichment
* Cortex Data Lake - File Indicators Hunting
* Cortex Data Lake - Indicators Hunting
* Cortex Data Lake - Traffic Indicators Hunting
* Cortex XDR - AWS IAM user access investigation
* Cortex XDR - Block File
* Cortex XDR - Check Action Status
* Cortex XDR - check file existence
* Cortex XDR - Cloud Enrichment
* Cortex XDR - Cloud IAM User Access Investigation
* Cortex XDR - delete file
* Cortex XDR - Endpoint Investigation
* Cortex XDR - Execute commands
* Cortex XDR - Execute snippet code script
* Cortex XDR - False Positive Incident Handling
* Cortex XDR - First SSO Access
* Cortex XDR - First SSO Access - Set Verdict
* Cortex XDR - Get entity alerts by MITRE tactics
* Cortex XDR - Get File Path from alerts by hash
* Cortex XDR - Isolate Endpoint
* Cortex XDR - kill process
* Cortex XDR - Malware Investigation
* Cortex XDR - Port Scan
* Cortex XDR - Port Scan - Adjusted
* Cortex XDR - Possible External RDP Brute-Force
* Cortex XDR - Possible External RDP Brute-Force - Set Verdict
* Cortex XDR - PrintNightmare Detection and Response
* Cortex XDR - quarantine file
* Cortex XDR - Retrieve File by sha256
* Cortex XDR - Retrieve File Playbook
* Cortex XDR - Run script
* Cortex XDR - True Positive Incident Handling
* Cortex XDR - Unisolate Endpoint
* Cortex XDR - XCloud Cryptojacking
* Cortex XDR - XCloud Cryptojacking - Set Verdict
* Cortex XDR Alerts Handling
* Cortex XDR device control violations
* Cortex XDR disconnected endpoints
* Cortex XDR Incident Handling
* Cortex XDR incident handling v2
* Cortex XDR incident handling v3
* Cortex XDR Incident Sync
* Cortex XDR Malware - Incident Enrichment
* Cortex XDR Malware - Investigation And Response
* Courses of Action - Collection
* Courses of Action - Command and Control
* Courses of Action - Credential Access
* Courses of Action - Defense Evasion
* Courses of Action - Discovery
* Courses of Action - Execution
* Courses of Action - Exfiltration
* Courses of Action - Impact
* Courses of Action - Initial Access
* Courses of Action - Lateral Movement
* Courses of Action - Persistence
* Courses of Action - Privilege Escalation
* Create Jira Issue
* Create Jira Ticket - XM Cyber
* Create ServiceNow Ticket
* CrowdStrike Endpoint Enrichment
* CrowdStrike Falcon - False Positive Incident Handling
* CrowdStrike Falcon - Get Detections by Incident
* CrowdStrike Falcon - Get Endpoint Forensics Data
* Crowdstrike Falcon - Isolate Endpoint
* CrowdStrike Falcon - Retrieve File
* CrowdStrike Falcon - Search Endpoints By Hash
* CrowdStrike Falcon - SIEM ingestion Get Incident Data
* CrowdStrike Falcon - True Positive Incident Handling
* Crowdstrike Falcon - Unisolate Endpoint
* CrowdStrike Falcon Intelligence Sandbox Detonate and Analyze File
* CrowdStrike Falcon Malware - Incident Enrichment
* CrowdStrike Falcon Malware - Investigation and Response
* CrowdStrike Falcon Malware - Verify Containment Actions
* CrowdStrike Falcon Sandbox - Detonate file
* CrowdStrike Rapid IOC Hunting
* CrowdStrike Rapid IOC Hunting v2
* CVE Enrichment - Generic
* CVE Enrichment - Generic v2
* CVE Exposure - RiskSense
* CVE-2021-22893 - Pulse Connect Secure RCE
* CVE-2021-34527 | CVE-2021-1675 - PrintNightmare
* CVE-2021-40444 - MSHTML RCE
* CVE-2021-44228 - Log4j RCE
* CVE-2022-26134 - Confluence RCE
* CVE-2022-30190 - MSDT RCE
* CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows
* CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell
* CVE-2023-23397 - Microsoft Outlook EoP
* CyberArk - Brute Force_Investigation
* Cybereason - Download Close File
* Cybereason - Download File
* Cyberpion Domain State
* CyberTotal Auto Enrichment - CyCraft
* CyberTotal Whois - CyCraft
* Cyble Intel Alert
* Cyren Inbox Security Default
* D2 - Endpoint data collection
* Darkfeed - malware download from feed
* Darkfeed IOC detonation and proactive blocking
* Darkfeed Threat hunting-research
* Darktrace Basic AI Analyst Event Handler
* Darktrace Basic Model Breach Handler
* DBot Create Phishing Classifier
* DBot Create Phishing Classifier Job
* DBot Create Phishing Classifier V2
* DBot Create Phishing Classifier V2 Job
* DBot Indicator Enrichment - Generic
* DeCYFIR - v1
* Dedup - Generic
* Dedup - Generic v2
* Dedup - Generic v3
* Dedup - Generic v4
* DeDup incidents
* DeDup incidents - ML
* DeepL Translate Document
* Default
* Demisto Self-Defense - Account policy monitoring playbook
* Departing Employee Auto-Add
* Departing Employee Clean-Up
* Detect & Manage Phishing Campaigns
* Detonate and Analyze File - Generic
* Detonate and Analyze File - JoeSecurity
* Detonate File - ANYRUN
* Detonate File - BitDam
* Detonate File - CrowdStrike Falcon Intelligence Sandbox
* Detonate File - Cuckoo
* Detonate File - FireEye AX
* Detonate File - FireEye Detection on Demand
* Detonate File - Generic
* Detonate File - Group-IB TDS Polygon
* Detonate File - HybridAnalysis
* Detonate File - JoeSecurity
* Detonate File - JoeSecurity V2
* Detonate File - Lastline
* Detonate File - Lastline v2
* Detonate File - ReversingLabs A1000
* Detonate File - ReversingLabs TitaniumScale
* Detonate File - SecneurX Analysis
* Detonate File - SNDBOX
* Detonate File - ThreatGrid
* Detonate File - ThreatGrid v2
* Detonate File - ThreatStream
* Detonate File - VirusTotal (API v3)
* Detonate File - VMRay
* Detonate File From URL - ANYRUN
* Detonate File From URL - JoeSecurity
* Detonate File From URL - WildFire
* Detonate Private File - VirusTotal Private Scanning
* Detonate Remote File from URL - McAfee ATD
* Detonate URL - ANYRUN
* Detonate URL - CrowdStrike
* Detonate URL - CrowdStrike Falcon Intelligence Sandbox
* Detonate URL - Cuckoo
* Detonate URL - FireEye AX
* Detonate URL - Generic
* Detonate URL - Group-IB TDS Polygon
* Detonate URL - Hatching Triage
* Detonate URL - Hybrid Analysis
* Detonate URL - JoeSecurity
* Detonate URL - Lastline
* Detonate URL - Lastline v2
* Detonate URL - McAfee ATD
* Detonate URL - Phish.AI
* Detonate URL - SecneurX Analysis
* Detonate URL - ThreatGrid
* Detonate URL - ThreatGrid v2
* Detonate URL - ThreatStream
* Detonate URL - VirusTotal (API v3)
* Detonate URL - VMRay
* Detonate URL - WildFire-v2
* Digital Defense FrontlineVM - Old Vulnerabilities Found
* Digital Defense FrontlineVM - PAN-OS block assets
* Digital Defense FrontlineVM - Scan Asset Not Recently Scanned
* Digital Guardian Demo Playbook
* Digital Shadows - CVE_IoC Assessment & Enrichment
* Digital Shadows - Domain Alert Intelligence (Automated)
* Digital Shadows - Domain_IoC Assessment & Enrichment
* Digital Shadows - IoC Assessment & Enrichment
* Digital Shadows - IP_IoC Assessment & Enrichment
* Digital Shadows - MD5_IoC Assessment & Enrichment
* Digital Shadows - SHA1_IoC Assessment & Enrichment
* Digital Shadows - SHA256_IoC Assessment & Enrichment
* Digital Shadows - URL_IoC Assessment & Enrichment
* DLP Incident Feedback Loop
* Domain Enrichment - Generic
* Domain Enrichment - Generic v2
* Domain Enrichment - RST Threat Feed
* DropBox - Massive scale operations on files
* Druva-Ransomware-Response
* DSAR Inventa Handler
* EDL Monitor- Email EDL content
* Email Address Enrichment - Generic
* Email Address Enrichment - Generic v2
* Email Address Enrichment - Generic v2.1
* Email Headers Check - Generic
* Employee Offboarding - Delegate
* Employee Offboarding - Gather User Information
* Employee Offboarding - Retain & Delete
* Employee Offboarding - Revoke Permissions
* Employee Status Survey
* Endace Search Archive and Download
* Endace Search Archive Download PCAP
* Endace Search Archive Download PCAP v2
* Endpoint data collection
* Endpoint Enrichment - Cylance Protect v2
* Endpoint Enrichment - Generic
* Endpoint Enrichment - Generic v2
* Endpoint Enrichment - Generic v2.1
* Endpoint Enrichment By EntityId - XM Cyber
* Endpoint Enrichment By Hostname - XM Cyber
* Endpoint Enrichment By IP - XM Cyber
* Endpoint Investigation Plan
* Endpoint Malware Investigation - Generic
* Endpoint Malware Investigation - Generic V2
* Enrich DXL with ATD verdict
* Enrich DXL with ATD verdict v2
* Enrich Incident With Asset Details - RiskIQ Digital Footprint
* Enrich McAfee DXL using 3rd party sandbox
* Enrich McAfee DXL using 3rd party sandbox v2
* Enrichment for Verdict
* Entity Enrichment - Generic
* Entity Enrichment - Generic v2
* Entity Enrichment - Generic v3
* Entity Enrichment - Phishing v2
* Eradication Plan
* Example-Delinea-Folder Operations
* Example-Delinea-Retrieved Username and Password
* Example-Delinea-Secret Object Operations
* Example-Delinea-User object operations
* Exchange 2016 Search and Delete
* Expanse Attribution
* Expanse Behavior Severity Update
* Expanse Enrich Cloud Assets
* Expanse Find Cloud IP Address Region and Service
* Expanse Load-Create List
* Expanse Unmanaged Cloud
* Expanse VM Enrich
* Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration
* Export Single Asset to SIEM - PANW IoT 3rd Party Integration
* Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration
* Extract and Create Relationships
* Extract and Enrich Expanse Indicators
* Extract Indicators - Generic
* Extract Indicators From File - Generic
* Extract Indicators From File - Generic v2
* ExtraHop - CVE-2019-0708 (BlueKeep)
* ExtraHop - Default
* ExtraHop - Get Peers by Host
* ExtraHop - Ticket Tracking
* ExtraHop - Ticket Tracking v2
* Failed Login Playbook - Slack v2
* Fetch All Violations - Securonix
* Fetch Violations - Securonix
* Field Polling - Generic
* File Enrichment - File reputation
* File Enrichment - Generic
* File Enrichment - Generic v2
* File Enrichment - RST Threat Feed
* File Enrichment - Virus Total (API v3)
* File Enrichment - Virus Total Private API
* File Enrichment - VMRay
* File Reputation
* File Reputation - ReversingLabs TitaniumCloud
* FireEye ETP - Indicators Hunting
* FireEye Helix Archive Search
* FireEye HX - Execution Flow Indicators Hunting
* FireEye HX - File Indicators Hunting
* FireEye HX - Indicators Hunting
* FireEye HX - Isolate Endpoint
* FireEye HX - Traffic Indicators Hunting
* FireEye HX - Unisolate Endpoint
* FireEye Red Team Tools Investigation and Response
* FireMon Create Policy Planner Ticket
* FireMon Pre Change Assessment
* Forensics Tools Analysis
* FortiSandbox - Loop for Job Submissions
* FortiSandbox - Loop For Job Verdict
* FortiSandbox - Upload Multiple Files
* GCP - Enrichment
* GCP - Firewall Remediation
* GDPR Breach Notification
* GenericPolling
* GenericPolling-FortiSIEM
* Get Code42 Employee Information
* Get Email From Email Gateway - FireEye
* Get Email From Email Gateway - Generic
* Get Email From Email Gateway - Mimecast
* Get Email From Email Gateway - Proofpoint Protection Server
* Get endpoint details - Generic
* Get File Sample - Generic
* Get File Sample By Hash - Carbon Black Enterprise Response
* Get File Sample By Hash - Cylance Protect
* Get File Sample By Hash - Cylance Protect v2
* Get File Sample By Hash - Generic
* Get File Sample By Hash - Generic v2
* Get File Sample By Hash - Generic v3
* Get File Sample From Path - Carbon Black Enterprise Response
* Get File Sample From Path - D2
* Get File Sample From Path - Generic
* Get File Sample From Path - Generic V2
* Get File Sample From Path - Generic V3
* Get File Sample From Path - VMware Carbon Black EDR - Live Response API
* Get host forensics - Generic
* Get Original Email - EWS
* Get Original Email - EWS v2
* Get Original Email - Generic
* Get Original Email - Generic v2
* Get Original Email - Gmail
* Get Original Email - Gmail v2
* Get Original Email - Microsoft Graph Mail
* Get prevalence for IOCs
* Get RaDark Detailed Items
* Get the binary file from Carbon Black by its MD5 hash
* Gitlab - Guest user permission change
* Google Dorking File Processing
* Google Vault - Display Results
* Google Vault - Search Drive
* Google Vault - Search Groups
* Google Vault - Search Mail
* GRACase
* HAFNIUM - Exchange 0-day exploits
* Handle Darktrace Model Breach
* Handle Expanse Incident
* Handle Expanse Incident - Attribution Only
* Handle False Positive Alerts
* Handle Hello World Alert
* Handle Hello World Premium Alert
* Handle Shadow IT Incident
* Handle TD events
* Health Check - Collect Log Bundle
* Health Check - Log Analysis Read All files
* HealthCheck
* HelloWorld Scan
* HelloWorldPremium_Scan
* HIPAA - Breach Notification
* Hostname And IP Address Investigation And Remediation - Chronicle
* Humio QueryJob Poll
* Hunt Extracted Hashes
* Hunt Extracted Hashes V2
* Hunt for bad IOCs
* Hunting C&C Communication Playbook
* Hurukai - Add indicators to HarfangLab EDR
* Hurukai - Alert management
* Hurukai - Get All Artifacts
* Hurukai - Get Artifact Evtx
* Hurukai - Get Artifact Filesystem
* Hurukai - Get Artifact Hives
* Hurukai - Get Artifact Logs
* Hurukai - Get Artifact MFT
* Hurukai - Get Artifact RAM Dump
* Hurukai - Get Driver List
* Hurukai - Get Network Connection List
* Hurukai - Get Network Share List
* Hurukai - Get Persistence List
* Hurukai - Get Pipe List
* Hurukai - Get Prefetch List
* Hurukai - Get Process List
* Hurukai - Get Runkey List
* Hurukai - Get Scheduled Task List
* Hurukai - Get Service List
* Hurukai - Get Session List
* Hurukai - Get Startup List
* Hurukai - Get WMI List
* Hurukai - Hunt IOCs
* Hurukai - Process Indicators - Manual Review
* Hybrid-analysis quick-scan
* IAM - Activate User In Active Directory
* IAM - App Sync
* IAM - App Update
* IAM - Configuration
* IAM - Create User In Active Directory
* IAM - Custom Post-provisioning
* IAM - Custom Pre-provisioning
* IAM - Custom User Sync
* IAM - Deactivate User In Active Directory
* IAM - Group Membership Update
* IAM - New Hire
* IAM - Rehire User
* IAM - Send Failed Instances Notification
* IAM - Send Provisioning Notification Email
* IAM - Sync User
* IAM - Terminate User
* IAM - Test Instances
* IAM - Update User
* Illinois - Breach Notification
* Illusive - Data Enrichment
* Illusive - Incident Escalation
* Illusive-Collect-Forensics-On-Demand
* Illusive-Retrieve-Incident
* Impossible Traveler
* Impossible Traveler - Enrichment
* Impossible Traveler Response
* Incident Postprocessing - Group-IB Threat Intelligence & Attribution
* Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration
* Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration
* Incremental Export to SIEM - PANW IoT 3rd Party Integration
* Indicator Enrichment - Qintel
* Indicator Pivoting - DomainTools Iris
* Indicator Registration Polling - Generic
* Integrations and Incidents Health Check - Running Scripts
* Intezer - Analyze by hash
* Intezer - Analyze File and URL
* Intezer - Analyze Uploaded file
* Intezer - scan host
* Investigate On Bad Domain Matches - Chronicle
* IOC Alert
* IP Enrichment - External - Generic v2
* IP Enrichment - External - RST Threat Feed
* IP Enrichment - Generic
* IP Enrichment - Generic v2
* IP Enrichment - Internal - Generic v2
* IP Reputation-GreyNoise
* IP Whitelist - AWS Security Group
* IP Whitelist - GCP Firewall
* IP Whitelist And Exclusion - RiskIQ Digital Footprint
* IQ-HUB Automation
* Ironscales-Classify-Incident
* Isolate Endpoint - Cybereason
* Isolate Endpoint - Generic
* Isolate Endpoint - Generic V2
* IT - Employee Offboarding
* IT - Employee Offboarding - Manual
* Jira Change Management
* Jira Ticket State Polling
* JOB - Cortex XDR query endpoint device control violations
* JOB - Integrations and Incidents Health Check
* JOB - Integrations and Incidents Health Check - Lists handling
* JOB - PANW NGFW TS Agent Cleanup
* JOB - Popular News
* JOB - XSOAR - Export Selected Custom Content
* JOB - XSOAR - Simple Dev to Prod
* JOB - XSOAR EDL Checker
* Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack
* Launch Adhoc Command Generic - Ansible Tower
* Launch And Fetch Compliance Policy Report - Qualys
* Launch And Fetch Compliance Report - Qualys
* Launch And Fetch Host Based Findings Report - Qualys
* Launch And Fetch Map Report - Qualys
* Launch And Fetch Patch Report - Qualys
* Launch And Fetch PC Scan - Qualys
* Launch And Fetch Remediation Report - Qualys
* Launch And Fetch Scan Based Findings Report - Qualys
* Launch And Fetch Scheduled Report - Qualys
* Launch And Fetch VM Scan - Qualys
* Launch Scan - Tenable.sc
* List Cisco Stealthwatch Security Events
* List Device Events - Chronicle
* Local Analysis alert Investigation
* LogPoint SIEM Playbook
* Logrhythm - Search query
* LogRhythmRestV2 - Search query
* Logz.Io Handle Alert
* Logz.io Indicator Hunting
* Lost / Stolen Device Playbook
* LSASS Credential Dumpin
* Malware Investigation & Response Incident Handler
* Malware Investigation - Generic
* Malware Investigation - Generic - Setup
* Malware Investigation - Manual
* Malware Investigation and Response - Set Alerts Grid
* Malware Playbook - Manual
* Malware SIEM Ingestion - Get Incident Data
* MAR - Endpoint data collection
* McAfee ePO Endpoint Compliance Playbook
* McAfee ePO Endpoint Compliance Playbook v2
* McAfee ePO Endpoint Connectivity Diagnostics Playbook v2
* McAfee ePO Repository Compliance Playbook
* McAfee ePO Repository Compliance Playbook v2
* MDE - False Positive Incident Handling
* MDE - Host Advanced Hunting
* MDE - Host Advanced Hunting For Network Activity
* MDE - Host Advanced Hunting For Persistence
* MDE - Host Advanced Hunting For Powershell Executions
* MDE - Pro-Active Actions
* MDE - Retrieve File
* MDE - True Positive Incident Handling
* MDE Malware - Incident Enrichment
* MDE Malware - Investigation and Response
* MDE SIEM ingestion - Get Incident Data
* Message Quarantine - Cofense Vision
* Microsoft 365 Defender - Emails Indicators Hunt
* Microsoft 365 Defender - Get Email URL Clicks
* Microsoft 365 Defender - Threat Hunting Generic
* Microsoft Defender Advanced Threat Protection Get Machine Action Status
* Microsoft Defender For Endpoint - Collect investigation package
* Microsoft Defender For Endpoint - Isolate Endpoint
* Microsoft Defender for Endpoint - Malware Detected
* Microsoft Defender For Endpoint - Unisolate Endpoint
* Microsoft Office File Enrichment - Oletools
* Mimecast - Block Sender Domain
* Mimecast - Block Sender Email
* Mirror Jira Ticket
* Mirror ServiceNow Ticket
* MITRE ATT&CK - Courses of Action
* MITRE ATT&CK - Courses of Action Trigger Job
* MITRE ATT&CK CoA - T1003 - OS Credential Dumping
* MITRE ATT&CK CoA - T1005 - Data from Local System
* MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol
* MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information
* MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel
* MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol
* MITRE ATT&CK CoA - T1057 - Process Discovery
* MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter
* MITRE ATT&CK CoA - T1059.001 - PowerShell
* MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation
* MITRE ATT&CK CoA - T1071 - Application Layer Protocol
* MITRE ATT&CK CoA - T1078 - Valid Accounts
* MITRE ATT&CK CoA - T1082 - System Information Discovery
* MITRE ATT&CK CoA - T1083 - File and Directory Discovery
* MITRE ATT&CK CoA - T1105 - Ingress tool transfer
* MITRE ATT&CK CoA - T1110 - Brute Force
* MITRE ATT&CK CoA - T1133 - External Remote Services
* MITRE ATT&CK CoA - T1135 - Network Share Discovery
* MITRE ATT&CK CoA - T1189 - Drive-by Compromise
* MITRE ATT&CK CoA - T1199 - Trusted Relationship
* MITRE ATT&CK CoA - T1204 - User Execution
* MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact
* MITRE ATT&CK CoA - T1518 - Software Discovery
* MITRE ATT&CK CoA - T1543.003 - Windows Service
* MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution
* MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder
* MITRE ATT&CK CoA - T1560.001 - Archive via Utility
* MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools
* MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes
* MITRE ATT&CK CoA - T1566 - Phishing
* MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment
* MITRE ATT&CK CoA - T1569.002 - Service Execution
* MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography
* Mitre Attack - Extract Technique Information From ID
* MockPlaybook
* MockSubplaybook
* Modify EDL
* NetOps - Firewall Version and Content Upgrade
* NetOps - Upgrade PAN-OS Firewall Device
* New Hire Auto-Add
* New Hire Clean-Up
* New York - Breach Notification
* Nexpose - Create and Download Report
* NGFW Internal Scan
* NGFW Remove Offline TS Agent
* NGFW Scan
* NIST - Handling an Incident Template
* NIST - Lessons Learned
* NMAP - Banner Check
* NMAP - Single Port Scan
* NOBELIUM - wide scale APT29 spear-phishing
* Notify Stock Above Price
* NSA - 5 Security Vulnerabilities Under Active Nation-State Attack
* O365 - Security And Compliance - Search
* O365 - Security And Compliance - Search Action - Delete
* O365 - Security And Compliance - Search Action - Preview
* O365 - Security And Compliance - Search And Delete
* Office 365 Search and Delete
* Okta - User Investigation
* Online Brand Protection Detect and Respond
* OpenCTI Create Indicator
* Palo Alto Networks - Endpoint Malware Investigation
* Palo Alto Networks - Endpoint Malware Investigation v2
* Palo Alto Networks - Endpoint Malware Investigation v3
* Palo Alto Networks - Hunting And Threat Detection
* Palo Alto Networks - Malware Remediation
* Palo Alto Networks BPA - Submit Scan
* PAN-OS - Add Domains EDL To Anti-Spyware
* PAN-OS - Add Static Routes
* PAN-OS - Apply Security Profile to Policy Rule
* PAN-OS - Block all unknown and unauthorized applications
* PAN-OS - Block Destination Service
* PAN-OS - Block Domain - External Dynamic List
* PAN-OS - Block IP - Custom Block Rule
* PAN-OS - Block IP - Static Address Group
* PAN-OS - Block IP and URL - External Dynamic List
* PAN-OS - Block IP and URL - External Dynamic List v2
* PAN-OS - Block URL - Custom URL Category
* PAN-OS - Create Or Edit Rule
* PAN-OS - Delete Static Routes
* PAN-OS - Enforce Anti-Spyware Best Practices Profile
* PAN-OS - Enforce Anti-Virus Best Practices Profile
* PAN-OS - Enforce File Blocking Best Practices Profile
* PAN-OS - Enforce URL Filtering Best Practices Profile
* PAN-OS - Enforce Vulnerability Protection Best Practices Profile
* PAN-OS - Enforce WildFire Best Practices Profile
* PAN-OS Commit Configuration
* PAN-OS create or edit policy
* PAN-OS DAG Configuration
* PAN-OS edit policy
* PAN-OS EDL Service Configuration
* PAN-OS EDL Setup
* PAN-OS EDL Setup v3
* PAN-OS Log Forwarding Setup And Configuration
* PAN-OS logging to Cortex Data Lake - Action Required
* PAN-OS Query Logs For Indicators
* PAN-OS Search for Post Quantum Crypto Vuln Sigs
* PAN-OS to Cortex Data Lake Monitoring - Cron Job
* Panorama Query Logs
* PanoramaQueryTrafficLogs
* PANW - Hunting and threat detection by indicator type
* PANW - Hunting and threat detection by indicator type V2
* PANW IoT Incident Handling with ServiceNow
* PANW IoT ServiceNow Tickets Check
* PANW NGFW TS Agent Deployment
* PANW Threat Vault - Signature Search
* PCAP Analysis
* PCAP File Carving
* PCAP Parsing And Indicator Enrichment
* PCAP Search
* Penfield Assign
* Pentera Filter And Create Incident
* Pentera Run Scan
* Pentera Run Scan and Create Incidents
* Phishing - Core
* Phishing - Core v2
* Phishing - Create New Incident
* Phishing - Generic v3
* Phishing - Get Original Email Loop
* Phishing - Handle Microsoft 365 Defender Results
* Phishing - Indicators Hunting
* Phishing - Machine Learning Analysis
* Phishing - Search Related Incidents (Defender 365)
* Phishing Alerts - Check Severity
* Phishing Alerts Investigation
* Phishing Investigation - Generic
* Phishing Investigation - Generic v2
* Phishing Playbook - Manual
* PhishingDemo-Onboarding
* PhishLabs - Populate Indicators
* PhishLabs - Whitelist false positives
* PhishUp Mail Scanner
* PICUS - Attack Validation Automation
* PICUS NG - Simulation Validation Automation
* PII Check - Breach Notification
* Policy Optimizer - Add Applications to Policy Rules
* Policy Optimizer - Generic
* Policy Optimizer - Manage Port Based Rules
* Policy Optimizer - Manage Rules with Unused Applications
* Policy Optimizer - Manage Unused Rules
* Port Scan - External Source
* Port Scan - Generic
* Port Scan - Internal Source
* Post Intrusion Ransomware Investigation
* Powershell Payload Response
* Prisma Access - Logout User
* Prisma Access - Connection Health Check
* Prisma Access Whitelist Egress IPs on SaaS Services
* Prisma Cloud - Find AWS Resource by FQDN
* Prisma Cloud - Find AWS Resource by FQDN v2
* Prisma Cloud - Find AWS Resource by Public IP
* Prisma Cloud - Find AWS Resource by Public IP v2
* Prisma Cloud - Find Azure Resource by FQDN
* Prisma Cloud - Find Azure Resource by FQDN v2
* Prisma Cloud - Find Azure Resource by Public IP
* Prisma Cloud - Find Azure Resource by Public IP v2
* Prisma Cloud - Find GCP Resource by FQDN
* Prisma Cloud - Find GCP Resource by FQDN v2
* Prisma Cloud - Find GCP Resource by Public IP
* Prisma Cloud - Find GCP Resource by Public IP v2
* Prisma Cloud - Find Public Cloud Resource by FQDN
* Prisma Cloud - Find Public Cloud Resource by Public IP
* Prisma Cloud - Find Public Cloud Resource by Public IP v2
* Prisma Cloud - VM Alert Prioritization
* Prisma Cloud Compute - Audit Alert
* Prisma Cloud Compute - Audit Alert v2
* Prisma Cloud Compute - Cloud Discovery Alert
* Prisma Cloud Compute - Compliance Alert
* Prisma Cloud Compute - Vulnerability Alert
* Prisma Cloud Compute Vulnerability and Compliance Reporting
* Prisma Cloud Correlate Alerts
* Prisma Cloud Correlate Alerts v2
* Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account
* Prisma Cloud Remediation - AWS CloudTrail Misconfiguration
* Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2
* Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration
* Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2
* Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration
* Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration
* Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
* Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2
* Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days
* Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To
TCP Port
* Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration
* Prisma Cloud Remediation - Azure AKS Misconfiguration
* Prisma Cloud Remediation - Azure AKS Misconfiguration v2
* Prisma Cloud Remediation - Azure Network Misconfiguration
* Prisma Cloud Remediation - Azure Network Misconfiguration v2
* Prisma Cloud Remediation - Azure Network Security Group Misconfiguration
* Prisma Cloud Remediation - Azure SQL Database Misconfiguration
* Prisma Cloud Remediation - Azure SQL Misconfiguration
* Prisma Cloud Remediation - Azure SQL Misconfiguration v2
* Prisma Cloud Remediation - Azure Storage Blob Misconfiguration
* Prisma Cloud Remediation - Azure Storage Misconfiguration
* Prisma Cloud Remediation - Azure Storage Misconfiguration v2
* Prisma Cloud Remediation - GCP Compute Engine Misconfiguration
* Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2
* Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration
* Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration
* Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2
* Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration
* Prisma Cloud Remediation - GCP VPC Network Misconfiguration
* Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2
* Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration
* Process Email - Add custom fields
* Process Email - Core
* Process Email - Core v2
* Process Email - EWS
* Process Email - Generic
* Process Email - Generic v2
* Process Microsoft's Anti-Spam Headers
* Process QWatch Alert - Qintel
* Process Survey Response
* Proofpoint TAP - Event Enrichment
* PS Remote Get File Sample From Path
* PS-Remote Acquire Host Forensics
* PS-Remote Get MFT
* PS-Remote Get Network Traffic
* PS-Remote Get Registry
* Pull Request Creation - Bitbucket
* Pull Request Creation - Generic
* Pull Request Creation - Github
* Pull Request Creation - GitLab
* QRadar - Get offense correlations
* QRadar - Get offense correlations v2
* QRadar - Get Offense Logs
* QRadar Build Query and Search
* QRadar Generic
* QRadar Get Hunting Results
* QRadar Indicator Hunting V2
* QRadarCorrelationLog
* QRadarFullSearch
* Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration
* Query Cisco Stealthwatch Flows
* Ransomware Advanced Analysis
* Ransomware Enrich and Contain
* Ransomware Exposure - RiskSense
* Ransomware Playbook - Manual
* Ransomware Response
* Rapid Breach Response - Set Incident Info
* Rapid IOC Hunting Playbook
* Rapid ransomware containment - Illumio
* Rapid7 - Nexpose - Enrichment
* Rapid7 InsightIDR - Execution Flow Indicators Hunting
* Rapid7 InsightIDR - File Indicators Hunting
* Rapid7 InsightIDR - HTTP Requests Indicators Hunting
* Rapid7 InsightIDR - Indicators Hunting
* Rapid7 InsightIDR - Traffic Indicators Hunting
* Reco - Reduce Risk - Google Publicly Exposed Files
* Reco Build String Message
* Reco Google Drive Automation
* Reco-Google-Drive-Revoke-Permissions
* Recorded Future CVE Intelligence
* Recorded Future CVE Reputation
* Recorded Future Detailed Alert example
* Recorded Future Domain Abuse
* Recorded Future Domain Intelligence
* Recorded Future Domain Reputation
* Recorded Future Entity Enrichment
* Recorded Future External Usecase
* Recorded Future File Intelligence
* Recorded Future File Reputation
* Recorded Future Identity - Create Incident (sub)
* Recorded Future Identity - Identity Found (incident)
* Recorded Future Identity - Lookup Identities (parent)
* Recorded Future IOC Reputation
* Recorded Future IP Intelligence
* Recorded Future IP Reputation
* Recorded Future Leaked Credential Alert Handling
* Recorded Future Playbook Alert Details
* Recorded Future Sandbox
* Recorded Future Threat Assessment
* Recorded Future Typosquat Alert Handling
* Recorded Future URL Intelligence
* Recorded Future URL Reputation
* Recorded Future Vulnerability
* Recorded Future Vulnerability Alert Handling
* Recorded Future Workforce Usecase
* Recovery Plan
* Registry Parse Data Analysis
* Remediate Message - Agari Phishing Defense
* Remove Employees from Departing Employee Watchlist
* Remove Employees from New Hire Watchlist
* Report Categorization - Cofense Triage v3
* Reset User Password via Chatbot
* Residents Notification - Breach Notification
* Retrieve Alerts For IOCs - Dataminr Pulse
* Retrieve Asset Details - Lansweeper
* Retrieve Email Data - Agari Phishing Defense
* Retrieve File from Endpoint - Generic
* Retrieve File from Endpoint - Generic V2
* Retrieve File from Endpoint - Generic V3
* Retrieve Related Alerts - Dataminr Pulse
* RiskIQAsset Enrichment - RiskIQ Digital Footprint
* RSS Create Indicators From Report
* Rubrik Anomaly Incident Response - Rubrik Polaris
* Rubrik Data Object Discovery - Rubrik Polaris
* Rubrik Fileset Ransomware Discovery - Rubrik Polaris
* Rubrik IOC Scan - Rubrik Polaris
* Rubrik List Snapshots - Rubrik Polaris
* Rubrik Polaris - Anomaly Analysis
* Rubrik Poll Async Result - Rubrik Polaris
* Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris
* Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris
* Run Panorama Best Practice Assessment
* Rundeck-job-execute-Generic
* Saas Security - Incident Processor
* SaaS Security - Remediate an Asset
* Saas Security - Take Action on the Incident
* SafeBreach - Compare and Validate Insight Indicators
* SafeBreach - Create Incidents per Insight and Associate Indicators
* SafeBreach - Handle Insight Incident
* SafeBreach - Process Behavioral Insights Feed
* SafeBreach - Process Non-Behavioral Insights Feed
* SafeBreach - Rerun Insights
* SafeBreach - Rerun Single Insight
* SafeNet Trusted Access - Add to Unusual Activity Group
* SafeNet Trusted Access - Terminate User SSO Sessions
* SailPoint IdentityIQ Disable User Account Access
* SANS - Incident Handler's Handbook Template
* SANS - Incident Handlers Checklist
* SANS - Lessons Learned
* Scan and Isolate - XM Cyber
* Scan Assets - Nexpose
* Scan Site - Nexpose
* Schedule Task and Poll
* Search all mailboxes - Gmail with polling
* Search And Delete Emails - EWS
* Search And Delete Emails - Generic
* Search And Delete Emails - Generic v2
* Search And Delete Emails - Gmail
* Search Endpoints By Hash - Carbon Black Protection
* Search Endpoints By Hash - Carbon Black Response
* Search Endpoints By Hash - Carbon Black Response V2
* Search Endpoints By Hash - CrowdStrike
* Search Endpoints By Hash - Cybereason
* Search Endpoints By Hash - Generic
* Search Endpoints By Hash - Generic V2
* Search Endpoints By Hash - TIE
* Search For Hash In Sandbox - Generic
* Search in mailboxes Gmail (Loop) with polling
* Send Indicators - Cofense Triage v3
* Send Investigation Summary Reports
* Send Investigation Summary Reports Job
* Sentinel One - Endpoint data collection
* ServiceNow Change Management
* ServiceNow CMDB Search
* ServiceNow Ticket State Polling
* Set RaDark Grid For Compromised Accounts
* Set RaDark Grid For Credit Cards
* Set RaDark Grid For Hacking Discussions
* Set RaDark Grid For Leaked Credentials
* Set RaDark Grid For Network Vulnerabilities
* Set Team Members
* Set up a Shift handover meeting
* Shift handover
* SIEM - Search for Failed logins
* Slack - General Failed Logins v2.1
* Social Engineering Domain Enrichment
* Social Engineering Domain Investigation
* SOCRadar Incident
* SolarStorm and SUNBURST Hunting and Response Playbook
* Splunk Generic
* Splunk Indicator Hunting
* Spring Core and Cloud Function SpEL RCEs
* SSL_Certificate_Verification
* Sumo Logic Cloud SIEM - Link Signal Incidents
* SX - AD - Default AD Exposure Alert
* SX - AD - Default Password Policy Misconfig Discovered
* SX - AD - DES Manual Mitigation Steps
* SX - AD - GPP - Reversible Enc' & Obfuscated passwords
* SX - AD - GPP Manual Mitigation Steps
* SX - AD - Kerberoasting
* SX - AD - LLMNR Manual Mitigation Steps
* SX - AD - Lockout Policy
* SX - AD - Lockout Policy Manual Mitigation Steps
* SX - AD - NetBios Manual Mitigation Steps
* SX - AD - NTLM Relay Manual Mitigation
* SX - AD - NTLM Relay NP01
* SX - AD - Password Age & Complexity Manual Mitigation Steps
* SX - AD - Password Age & Length & Complexity Manual Mitigation Steps
* SX - AD - Password Age & Length Manual Mitigation Steps
* SX - AD - Password Age Manual Mitigation Steps
* SX - AD - Password Complexity Manual Mitigation Steps
* SX - AD - Password Length & Complexity Manual Mitigation Steps
* SX - AD - Password Length Manual Mitigation Steps
* SX - AD - PC - Ping Castle Report
* SX - AD - Powershell V2 Manual Mitigation Steps
* SX - AD - Powershell Version 2
* SX - AD - Service Account in Privileged Group Manual Mitigation Steps
* SX - AD - Service Accounts Password Policy
* SX - AD - SMB Signing
* SX - AD - SMB Signing Manual Mitigation Steps
* SX - PC - PingCastle Report
* Symantec block Email
* T1036 - Masquerading
* T1059 - Command and Scripting Interpreter
* Tag massive and internal IOCs to avoid EDL listing
* Tanium - Ask Question
* Tanium - Get Saved Question Result
* Tanium Demo Playbook
* Tenable.io Scan
* Threat Hunting - Chronicle
* Threat Hunting - Generic
* TIE - IOC Hunt
* TIM - Add All Indicator Types To SIEM
* TIM - Add Bad Hash Indicators To SIEM
* TIM - Add Domain Indicators To SIEM
* TIM - Add IP Indicators To SIEM
* TIM - Add Url Indicators To SIEM
* TIM - ArcSight Add Bad Hash Indicators
* TIM - ArcSight Add Domain Indicators
* TIM - ArcSight Add IP Indicators
* TIM - ArcSight Add Url Indicators
* TIM - Indicator Auto Processing
* TIM - Indicator Relationships Analysis
* TIM - Indicators Exclusion By Related Incidents
* TIM - Intel Tracking
* TIM - Process AWS indicators
* TIM - Process Azure indicators
* TIM - Process CIDR Indicators By Size
* TIM - Process Domain Age With Whois
* TIM - Process Domain Registrant With Whois
* TIM - Process Domains With Whois
* TIM - Process File Indicators With File Hash Type
* TIM - Process Indicators - Fully Automated
* TIM - Process Indicators - Manual Review
* TIM - Process Indicators Against Approved Hash List
* TIM - Process Indicators Against Business Partners Domains List
* TIM - Process Indicators Against Business Partners IP List
* TIM - Process Indicators Against Business Partners URL List
* TIM - Process Indicators Against Organizations External IP List
* TIM - Process Office365 indicators
* TIM - QRadar Add Bad Hash Indicators
* TIM - QRadar Add Domain Indicators
* TIM - QRadar Add IP Indicators
* TIM - QRadar Add Url Indicators
* TIM - Review Indicators Manually
* TIM - Review Indicators Manually For Whitelisting
* TIM - Run Enrichment For All Indicator Types
* TIM - Run Enrichment For Domain Indicators
* TIM - Run Enrichment For Hash Indicators
* TIM - Run Enrichment For IP Indicators
* TIM - Run Enrichment For Url Indicators
* TIM - Update Indicators Organizational External IP Tag
* TitaniamProtect
* TitaniamRollback
* TitaniamSync
* Traps Blacklist File
* Traps Isolate Endpoint
* Traps Quarantine Event
* Traps Retrieve And Download Files
* Traps Scan Endpoint
* Trend Micro CAS - Indicators Hunting
* TrendMicro Malware Alert Playbook
* Tufin - Enrich IP Address(es)
* Tufin - Enrich Source & Destination IP Information
* Tufin - Get Application Information from SecureApp
* Tufin - Get Network Device Info by IP Address
* Tufin - Investigate Network Alert
* Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration
* Uncover Unknown Malware Using SSDeep
* Unisolate Endpoint - Cybereason
* Unisolate Endpoint - Generic
* UnitTestTopLevel
* Unzip File
* Update enforcement mode - Illumio
* Update Incident Status And Fetch Attachments - Securonix
* Update Or Remove Assets - RiskIQ Digital Footprint
* Upload Vulnerability Report to Automox
* Uptycs - Bad IP Incident
* Uptycs - Outbound Connection to Threat IOC Incident
* URL Enrichment - Generic
* URL Enrichment - Generic v2
* URL Enrichment - RST Threat Feed
* US - Breach Notification
* User Investigation - Generic
* Vulnerability Handling - Nexpose
* Vulnerability Handling - Qualys
* Vulnerability Handling - Qualys - Add custom fields to default layout
* Vulnerability Management - Nexpose (Job)
* Vulnerability Management - Qualys (Job)
* Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io
* Wait Until Datetime
* WhisperGate and HermeticWiper & CVE-2021-32648
* WildFire - Detonate file
* Wildfire Detonate and Analyze File
* WildFire Malware
* XCloud Alert Enrichment
* XCloud Cryptojacking
* XCloud Cryptojacking - Set Verdict
* XDR Best Practice Assessment
* xMatters - Example Conditional Actions
* xMatters - Wait for Response
* Xpanse Incident Handling - Generic
* xsoar-data-collection-response-tracking
* xsoarwebserver-email-acknowledgement
* xsoarwebserver-email-data-collection
* ZTAP Alert
* Scripts
* A1000FinalClassification
* AbuseIPDBPopulateIndicators
* ActiveUsersD2
* AddDBotScoreToContext
* AddEvidence
* AddKeyToList
* AddUserToIncidentTeam
* ADGetUser
* AlgosecCreateTicket
* AlgosecGetApplications
* AlgosecGetNetworkObject
* AlgosecGetTicket
* AlgosecQuery
* AnalyzeMemImage
* AnalyzeOSX
* AppendIfNotEmpty
* AppendindicatorFieldWrapper
* AquatoneDiscover
* AquatoneDiscoverV2
* ArcannaFeedbackPostProcessing
* AreValuesEqual
* ArrayToCSV
* AssignAnalystToIncident
* AssignAnalystToIncidentOOO
* AssignToMeButton
* AssignToNextShift
* AssignToNextShiftOOO
* ATDDetonate
* AwsCreateImage
* AwsCreateVolumeSnapshot
* AwsGetInstanceInfo
* AWSRecreateSG
* AwsRunInstance
* AwsStartInstance
* AwsStopInstance
* AzureFindAvailableNSGPriorities
* Base64Decode
* Base64Encode
* Base64EncodeV2
* Base64ListToFile
* BatchData
* BetweenDates
* BetweenHours
* BinarySearchPy
* BlockIP
* BMCHelixRemedyforceCreateIncident
* BMCHelixRemedyforceCreateServiceRequest
* BrandImpersonationDetection
* BreachConfirmationHTML
* BuildEWSQuery
* BuildSlackBlocksFromIndex
* CalculateEntropy
* CalculateGeoDistance
* CalculateTimeDifference
* CalculateTimeSpan
* CaseMgmtAnalystTools
* CaseMgmtDisplayLabels
* CaseMgmtIncidentTypesByRole
* CaseMgmtIncidentTypesDisplay
* CaseMgmtResponseProcess
* CBAlerts
* CBEvents
* CBFindIP
* CBLiveFetchFiles
* CBLiveGetFile_V2
* CBLiveProcessList
* CBPApproveHash
* CBPBanHash
* CBPCatalogFindHash
* CBPFindComputer
* CBPFindRule
* CBSensors
* CBSessions
* CBWatchlists
* CEFParser
* CertificateExtract
* CertificateReputation
* CertificatesTroubleshoot
* ChangeHistory
* ChangeRemediationSLAOnSevChange
* CheckContextValue
* CheckDockerImageAvailable
* CheckEmailAuthenticity
* CheckFieldValue
* CheckIfSubdomain
* CheckIndicatorValue
* CheckPanosVersionAffected
* CheckPointDownloadBackup
* CheckpointFWBackupStatus
* CheckpointFWCreateBackup
* CheckSender
* CheckSenderDomainDistance
* checkValue
* ChronicleAssetEventsForHostnameWidgetScript
* ChronicleAssetEventsForIPWidgetScript
* ChronicleAssetEventsForMACWidgetScript
* ChronicleAssetEventsForProductIDWidgetScript
* ChronicleAssetIdentifierScript
* ChronicleDBotScoreWidgetScript
* ChronicleDomainIntelligenceSourcesWidgetScript
* ChronicleIsolatedHostnameWidgetScript
* ChronicleIsolatedIPWidgetScript
* ChronicleListDeviceEventsByEventTypeWidgetScript
* ChroniclePotentiallyBlockedIPWidgetScript
* CIDRBiggerThanPrefix
* ClassifierNotifyAdmin
* CloseInvestigationAsDuplicate
* CloseLinkedIncidentsPostProcessing
* CloseTaskSetContext
* Code42DownloadFile
* Code42FileEventsToMarkdownTable
* Code42FileSearch
* Code42GetDepartingEmployees
* Code42GetHighRiskEmployees
* Code42UsernameSearch
* CofenseTriageReportDownload
* CofenseTriageThreatEnrichment
* CollectCampaignRecipients
* CollectPacksData
* commentsToContext
* CommitFiles
* CommonD2
* CommonServerUserPowerShell
* CommonServerUserPython
* CommonUserServer
* CompareIncidentsLabels
* CompareIndicators
* CompareList
* CompleteTaskOnTimerBreach
* ConcatFormat
* ConferIncidentDetails
* ConferSetSeverity
* ConfigureAzureApplicationAccessPolicy
* ConflueraDetectionsCount
* ConflueraDetectionsData
* ConflueraDetectionsDataWarroom
* ConflueraDetectionsSummary
* ConflueraDetectionsSummaryWarroom
* ConflueraProgressionsCount
* ConflueraProgressionsData
* ConflueraProgressionsDataWarroom
* ContainsCreditCardInfo
* ContentPackInstaller
* ContextContains
* ContextFilter
* ContextGetEmails
* ContextGetHashes
* ContextGetIps
* ContextGetMACAddresses
* ContextGetPathForString
* ContextSearchForString
* ConvertAllExcept
* ConvertCountryCodeCountryName
* ConvertDatetoUTC
* ConvertDictOfListToListOfDict
* ConvertDomainToURLs
* ConvertFile
* ConvertKeysToTableFieldFormat
* ConvertTableToHTML
* ConvertTimezoneFromUTC
* ConvertToSingleElementArray
* ConvertXmlFileToJson
* ConvertXmlToJson
* CopyContextToField
* CopyFileD2
* CopyLinkedAnalystNotes
* CopyNotesToIncident
* CortexXDRAdditionalAlertInformationWidget
* CortexXDRCloudProviderWidget
* CortexXDRIdentityInformationWidget
* CortexXDRRemediationActionsWidget
* CountArraySize
* CreateArray
* CreateArrayWithDuplicates
* CreateCertificate
* CreateChannelWrapper
* CreateEDLInstance
* CreateEmailHtmlBody
* CreateFileFromPathObject
* CreateHash
* CreateHashIndicatorWrapper
* CreateIndicatorRelationship
* CreateIndicatorsFromSTIX
* CreateNewIndicatorsOnly
* CreatePlbkDoc
* CreatePrismaCloudComputeComplianceReportButton
* CreatePrismaCloudComputeLink
* CrowdStrikeApiModule
* CrowdStrikeStreamingPreProcessing
* CrowdStrikeUrlParse
* CryptoCurrenciesFormat
* CSVFeedApiModule
* CuckooDetonateFile
* CuckooDetonateURL
* CuckooDisplayReport
* CuckooGetReport
* CuckooGetScreenshot
* CuckooTaskStatus
* CustomContentBundleWizardry
* CustomPackInstaller
* Cut
* cveReputation
* CybereasonPreProcessingExample
* CybersixgillActionableAlertStatusUpdate
* CyCognitoGetEndpoints
* CYFileRep
* Cyren-Find-Similar-Incidents
* Cyren-Show-Threat-Indicators
* CyrenCountryLookup
* CyrenThreatInDepthRandomHunt
* CyrenThreatInDepthRelatedWidget
* CyrenThreatInDepthRelatedWidgetQuick
* CyrenThreatInDepthRenderRelated
* D2ActiveUsers
* D2Autoruns
* D2Drop
* D2Exec
* D2ExecuteCommand
* D2GetFile
* D2GetSystemLog
* D2Hardware
* D2O365ComplianceSearch
* D2O365SearchAndDelete
* D2PEDump
* D2Processes
* D2RegQuery
* D2Rekall
* D2Services
* D2Users
* D2Winpmem
* DamSensorDown
* DataDomainReputation
* DataminrPulseDisplayRelatedAlerts
* DataminrPulseTransformExtractedIndicatorsToList
* DateStringToISOFormat
* DateTimeToADTime
* DateToTimeStamp
* DBotAverageScore
* DBotBuildPhishingClassifier
* DBotClosedIncidentsPercentage
* DBotFindSimilarIncidents
* DBotFindSimilarIncidentsByIndicators
* DBotPredictOutOfTheBoxV2
* DBotPredictPhishingEvaluation
* DBotPredictPhishingWords
* DBotPredictTextLabel
* DBotPredictURLPhishing
* DBotPreparePhishingData
* DBotPreProcessTextData
* DBotTrainTextClassifier
* DBotTrainTextClassifierV2
* DBotUpdateLogoURLPhishing
* DecodeMimeHeader
* DedupBy
* DeduplicateValuesbyKey
* DefaultIncidentClassifier
* DeleteContent
* DeleteContext
* DeleteReportedEmail
* DemistoCreateList
* DemistoGetIncidentTasksByState
* DemistoLeaveAllInvestigations
* DemistoLinkIncidents
* DemistoLogsBundle
* DemistoSendInvite
* DemistoUploadFile
* DemistoUploadFileToIncident
* DemistoUploadFileV2
* DemistoVersion
* Dig
* DisableUserWrapper
* DisplayCVEChartScript
* DisplayEmailHtml
* DisplayEmailHtmlThread
* DisplayHTML
* DisplayIndicatorReputationContent
* DisplayTaggedWarroomEntries
* displayUtilitiesResults
* DlpAskFeedback
* DockerHardeningCheck
* DomainReputation
* DrawRelatedIncidentsCanvas
* DsSearchQueryArray
* DT
* DumpJSON
* EditServerConfig
* EmailAskUser
* EmailAskUserResponse
* EmailDomainBlacklist
* EmailDomainSquattingReputation
* EmailDomainWhitelist
* emailFieldTriggered
* EmailReputation
* EmailSLABreach
* EncodeToAscii
* EntryWidgetCoAHandled
* EntryWidgetCoATechniquesList
* EntryWidgetNumberRegionsXCLOUD
* EntryWidgetNumberResourcesXCLOUD
* EntryWidgetPortBasedRules
* EntryWidgetUnusedApplications
* EntryWidgetUnusedRules
* EnumerateRoles
* EPOFindSystem
* EsmExample
* Etl2Pcap
* ExampleJSScript
* ExchangeAssignRole
* ExchangeDeleteMail
* ExchangeSearchMailbox
* ExifRead
* Exists
* ExpanseAggregateAttributionCI
* ExpanseAggregateAttributionDevice
* ExpanseAggregateAttributionIP
* ExpanseAggregateAttributionUser
* ExpanseEnrichAttribution
* ExpanseEvidenceDynamicSection
* ExpanseGenerateIssueMapWidgetScript
* ExpansePrintSuggestions
* ExpanseRefreshIssueAssets
* ExportAuditLogsToFile
* ExportContextToJSONFile
* ExportIncidentsToCSV
* ExportIndicatorsToCSV
* ExportMLModel
* ExportToCSV
* ExportToXLSX
* ExposeIncidentOwner
* ExtFilter
* ExtractDomainAndFQDNFromUrlAndEmail
* ExtractDomainFromIOCDomainMatchRes
* ExtractDomainFromUrlAndEmail
* ExtractEmailTransformer
* ExtractEmailV2
* ExtractFQDNFromUrlAndEmail
* ExtractHTMLTables
* ExtractInbetween
* ExtractIndicatorsFromTextFile
* ExtractIndicatorsFromWordFile
* ExtraHopTrackIncidents
* FailedInstances
* FeedCyCognitoGetAssetEndpoint
* FeedIntegrationErrorWidget
* FeedRelatedIndicatorsWidget
* FetchFileD2
* FetchIndicatorsFromFile
* FileCreateAndUpload
* FileCreateAndUploadV2
* FileReputation
* FileToBase64List
* FilterByList
* FindDuplicateEmailIncidents
* FindEmailCampaign
* findIncidentsWithIndicator
* FindSimilarIncidents
* FindSimilarIncidentsByText
* FireEyeApiModule
* FireEyeDetonateFile
* FirstArrayElement
* ForescoutEyeInspectButtonGetPCAP
* ForescoutEyeInspectButtonGetVulnerabilityInfo
* ForescoutEyeInspectButtonHostChangeLog
* FormatACTIURL
* FormatContentData
* FormattedDateToEpoch
* FormatTemplate
* FormatURL
* ForwardAuditLogsToSplunkHEC
* FPDeleteRule
* FPSetRule
* GCPProjectHierarchy
* GenerateAsBuilt
* GenerateASMReport
* GenerateCSR
* GenerateInvestigationSummaryReport
* GeneratePANWIoTDeviceTableQueryForServiceNow
* GeneratePassword
* GenerateRandomString
* GenerateRandomUUID
* GenerateSummaryReportButton
* GenerateSummaryReports
* GenericPollingScheduledTask
* GetAwayUsers
* GetBrandDeleteReportedEmail
* GetCampaignDuration
* GetCampaignIncidentsIdsAsOptions
* GetCampaignIncidentsInfo
* GetCampaignLowerSimilarityIncidentsIdsAsOptions
* GetCampaignLowSimilarityIncidentsInfo
* GetCiscoISEActiveInstance
* GetDataCollectionLink
* GetDockerImageLatestTag
* GetDomainDNSDetails
* GetEnabledInstances
* GetEntries
* GetErrorsFromEntry
* GetEWSFolder
* GetFailedTasks
* GetFields
* GetFieldsByIncidentType
* GetFilePathPreProcessing
* GetIncidentsByQuery
* GetIncidentTasksByState
* GetIndicatorDBotScore
* GetIndicatorDBotScoreFromCache
* GetIndicatorDBotScoreFromContext
* GetIndicatorsByQuery
* GetInstanceName
* GetInstances
* GetLicenseID
* GetListRow
* GetMessageIdAndRecipients
* getMlFeatures
* GetMLModelEvaluation
* GetNumberOfUsersOnCall
* GetOnCallHoursPerUser
* GetPrBranches
* GetRange
* GetRolesPerShift
* GetShiftsPerUser
* GetStringsDistance
* GetTasksWithSections
* GetTime
* GetUsersOnCall
* GetUsersOOO
* GetValuesOfMultipleFields
* GIBIncidentUpdate
* GIBIncidentUpdateIncludingClosed
* GLPIIncidentStatus
* GoogleappsRevokeUserRole
* GoogleAuthURL
* GRAAnalyticalFeatureDisplay
* GRAAnomaliesDisplay
* GRAUpdateCaseStatus
* GridFieldSetup
* GrrGetFiles
* GrrGetFlows
* GrrGetHunt
* GrrGetHunts
* GrrSetFlows
* GrrSetHunts
* GSuiteApiModule
* GZipFile
* HashIncidentsFields
* HealthCheckAPIvalidation
* HealthCheckCommonIndicators
* HealthCheckContainersStatus
* HealthCheckCPU
* HealthCheckDiskUsage
* HealthCheckDiskUsageLine
* HealthCheckFields
* HealthCheckIncidentsCreatedDaily
* HealthCheckIncidentsCreatedMonthly
* HealthCheckIncidentsCreatedWeekly
* HealthCheckIncidentTypes
* HealthCheckInstalledPacks
* HealthCheckIntegrations
* HealthCheckMemory
* HealthCheckNumberOfDroppedIncidents
* HealthCheckPlaybookAnalysis
* HealthCheckServerConfiguration
* HealthCheckSystemDiagnostics
* HealthCheckWorkers
* HelloWorldPremiumScript
* HelloWorldScript
* Hey
* hideFieldsOnNewIncident
* HighlightWords
* http
* HTTPFeedApiModule
* HTTPListRedirects
* HttpV2
* IAMApiModule
* IAMInitOktaUser
* IdentifyAttachedEmail
* If-Then-Else
* IgnoreFieldsFromJson
* ImportMLModel
* ImpSfListEndpoints
* ImpSfRevokeUnaccessedDevices
* ImpSfScheduleTask
* ImpSfSetEndpointStatus
* IncapGetAppInfo
* IncapGetDomainApproverEmail
* IncapListSites
* IncapScheduleTask
* IncapWhitelistCompliance
* IncidentAddSystem
* IncidentFields
* IncidentsCheck-NumberofIncidentsNoOwner
* IncidentsCheck-NumberofIncidentsWithErrors
* IncidentsCheck-NumberofTotalEntriesErrors
* IncidentsCheck-PlaybooksFailingCommands
* IncidentsCheck-PlaybooksHealthNames
* IncidentsCheck-Widget-CommandsNames
* IncidentsCheck-Widget-CreationDate
* IncidentsCheck-Widget-IncidentsErrorsInfo
* IncidentsCheck-Widget-NumberFailingIncidents
* IncidentsCheck-Widget-NumberofErrors
* IncidentsCheck-Widget-PlaybookNames
* IncidentsCheck-Widget-UnassignedFailingIncidents
* IncidentState
* IncreaseIncidentSeverity
* IndicatorMaliciousRatioCalculation
* InferWhetherServiceIsDev
* InRange
* InstancesCheck-FailedCategories
* InstancesCheck-NumberofEnabledInstances
* InstancesCheck-NumberofFailedInstances
* IntegrationsCheck-Widget-IntegrationsCategory
* IntegrationsCheck-Widget-IntegrationsErrorsInfo
* IntegrationsCheck-Widget-NumberChecked
* IntegrationsCheck-Widget-NumberFailingInstances
* IntezerRunScanner
* IntezerScanHost
* InvertEveryTwoItems
* InvestigationDetailedSummaryParse
* InvestigationDetailedSummaryToTable
* InvestigationSummaryParse
* InvestigationSummaryToTable
* iot-security-alert-post-processing
* iot-security-check-servicenow
* iot-security-get-raci
* iot-security-vuln-post-processing
* IPCalcCheckSubnetCollision
* IPCalcReturnAddressBinary
* IPCalcReturnAddressIANAAllocation
* IPCalcReturnSubnetAddresses
* IPCalcReturnSubnetBroadcastAddress
* IPCalcReturnSubnetNetwork
* IPReputation
* IPToHost
* IPv4Blacklist
* IPv4Whitelist
* IqHubLog
* IronscalesEmailFieldTrigger
* isArrayItemInList
* IsDemistoRestAPIInstanceAvailable
* IsDomainInternal
* IsEmailAddressInternal
* isError
* IsGreaterThan
* IsIncidentPartOfCampaign
* IsInCidrRanges
* IsIntegrationAvailable
* IsInternalHostName
* IsIPInRanges
* IsIPPrivate
* IsListExist
* IsMaliciousIndicatorFound
* IsolationAssetWrapper
* IsRFC1918Address
* IsTrue
* IsValueInArray
* JiraAddComment
* JiraChangeStatus
* JiraCreateIssue-example
* JiraListStatus
* JIRAPrintIssue
* JiraV3ConvertAttachmentsToTable
* JiraV3ConvertCommentsToTable
* JiraV3ConvertSubtasksToTable
* jmespath
* JobCreator
* JoinIfSingleElementOnly
* jq
* JSONFeedApiModule
* JSONFileToCSV
* JSONtoCSV
* JsonToTable
* JsonUnescape
* KeylightCreateIssue
* KillProcessWrapper
* LanguageDetect
* LCMAcknowledgeHost
* LCMDetectedEntities
* LCMDetectedIndicators
* LCMHosts
* LCMIndicatorsForEntity
* LCMPathFinderScanHost
* LCMResolveHost
* LCMSetHostComment
* LessThanPercentage
* LinkIncidentsButton
* LinkIncidentsWithRetry
* ListDeviceEvents
* listExecutedCommands
* ListInstalledContentPacks
* ListPlaybookAutomationsCommands
* ListUsedDockerImages
* LoadJSON
* LoadJSONFileToContext
* MakePair
* MaliciousRatioReputation
* ManageOOOusers
* MapPattern
* MapRaDarkIncidentDetails
* MapRangeValues
* MapValues
* MapValuesTransformer
* MarkAsEvidenceBySearch
* MarkAsEvidenceByTag
* MarkAsNoteBySearch
* MarkAsNoteByTag
* MarkdownToHTML
* MarketplacePackInstaller
* MarkRelatedIncidents
* MatchIPinCIDRIndicators
* MatchRegex
* MatchRegexV2
* MathUtil
* MattermostAskUser
* MaxList
* MergeDictArray
* MicrosoftApiModule
* MicrosoftAzureStorageApiModule
* MicrosoftSentinelConvertAlertsToTable
* MicrosoftSentinelConvertCommentsToTable
* MicrosoftSentinelConvertEntitiesToTable
* MicrosoftSentinelConvertRelationsToTable
* MicrosoftTeamsAsk
* MimecastFindEmail
* MimecastQuery
* MinList
* MITREIndicatorsByOpenIncidents
* MITREIndicatorsByOpenIncidentsV2
* ModifyDateTime
* NCSCReportDetails
* NCSCReportDetails_A
* NCSCReportDetails_B
* NCSCReportDetails_C
* NCSCReportDetails_D
* NCSCReportOverview
* NetwitnessQuery
* NetwitnessSAAddEventsToIncident
* NetwitnessSACreateIncident
* NetwitnessSAGetAvailableAssignees
* NexposeCreateIncidentsFromAssets
* NexposeEmailParser
* NexposeEmailParserForVuln
* NexposeVulnExtractor
* NGINXApiModule
* NotInContextVerification
* Oletools
* OnboardingCleanup
* OnionURLReputation
* OSQueryBasicQuery
* OSQueryLoggedInUsers
* OSQueryOpenSockets
* OSQueryProcesses
* OSQueryUsers
* Osxcollector
* OutOfOfficeListCleanup
* PadZeros
* PagerDutyAlertOnIncident
* PagerDutyAssignOnCallUser
* PanoramaCVECoverage
* PanoramaSecurityPolicyMatchWrapper
* PanwIndicatorCreateQueries
* ParseCSV
* ParseEmailFiles
* ParseEmailFilesV2
* ParseExcel
* ParseHTMLIndicators
* ParseHTMLTables
* ParseJSON
* ParseWordDoc
* ParseYAML
* PcapConvert
* PcapExtractStreams
* PcapFileExtractor
* PcapFileExtractStreams
* PcapHTTPExtractor
* PCAPMiner
* PcapMinerV2
* PDFUnlocker
* PenfieldAssign
* PerformActionOnCampaignIncidents
* PHash
* PortListenCheck
* PrepareArcannaRawJson
* PreprocessEmail
* PreProcessImage
* Print
* PrintContext
* PrintErrorEntry
* PrintRaw
* PrismaCloudAttribution
* PrismaCloudComputeParseCloudDiscoveryAlert
* PrismaCloudComputeParseComplianceAlert
* PrismaCloudComputeParseVulnerabilityAlert
* ProductJoin
* ProvidesCommand
* PTEnrich
* PublishEntriesToContext
* PublishThreatIntelReport
* PWEventPcapDownload
* PWObservationPcapDownload
* QRadarCreateAQLQuery
* QRadarFetchedEventsSum
* QRadarMagnitude
* QRadarMirroringEventsStatus
* QRadarPrintAssets
* QRadarPrintEvents
* QualysCreateIncidentFromReport
* RandomElementFromList
* RandomPhotoNasa
* RankServiceOwners
* RapidBreachResponse-CompletedTasksCount-Widget
* RapidBreachResponse-EradicationTasksCount-Widget
* RapidBreachResponse-HuntingTasksCount-Widget
* RapidBreachResponse-MitigationTasksCount-Widget
* RapidBreachResponse-RemainingTasksCount-Widget
* RapidBreachResponse-RemediationTasksCount-Widget
* RapidBreachResponse-TotalIndicatorCount-Widget
* RapidBreachResponse-TotalTasksCount-Widget
* RapidBreachResponseParseBlog
* ReadFile
* ReadNetstatFile
* ReadNetstatFileWrapper
* ReadPDFFileV2
* ReadProcessesFile
* ReadProcessesFileXDR
* ReadProcessFileWrapper
* RecordedFutureDomainRiskList
* RecordedFutureHashRiskList
* RecordedFutureIPRiskList
* RecordedFutureURLRiskList
* RecordedFutureVulnerabilityRiskList
* redactindicator
* RegexExpand
* RegexExtractAll
* RegexReplace
* RegistryParse
* RegPathReputationBasicLists
* RemediationPathRuleEvaluation
* RemoteExec
* RemoveEmpty
* RemoveEmptyEvidence
* RemoveFileWrapper
* RemoveKeyFromList
* RepopulateFiles
* ResolveShortenedURL
* RestartFailedTasks
* RetrievePlaybooksAndIntegrations
* ReverseList
* RiskIQDigitalFootprintAssetDetailsWidgetScript
* RiskIQPassiveTotalComponentsScript
* RiskIQPassiveTotalComponentsWidgetScript
* RiskIQPassiveTotalHostPairChildrenScript
* RiskIQPassiveTotalHostPairParentsScript
* RiskIQPassiveTotalHostPairsChildrenWidgetScript
* RiskIQPassiveTotalHostPairsParentsWidgetScript
* RiskIQPassiveTotalPDNSScript
* RiskIQPassiveTotalPDNSWidgetScript
* RiskIQPassiveTotalSSLForIssuerEmailWidgetScript
* RiskIQPassiveTotalSSLForSubjectEmailWidgetScript
* RiskIQPassiveTotalSSLScript
* RiskIQPassiveTotalSSLWidgetScript
* RiskIQPassiveTotalTrackersScript
* RiskIQPassiveTotalTrackersWidgetScript
* RiskIQPassiveTotalWhoisScript
* RiskIQPassiveTotalWhoisWidgetScript
* RiskSenseGetRansomewareCVEScript
* RSSWidget
* RSSWidget_LC
* RubrikCDMClusterConnectionState
* RubrikRadarFilesAdded
* RubrikRadarFilesDeleted
* RubrikRadarFilesModified
* RubrikSonarOpenAccessFiles
* RubrikSonarSensitiveHits
* RubrikSonarTotalHits
* RunDockerCommand
* RunPollingCommand
* SalesforceAskUser
* SandboxDetonateFile
* SanePdfReports
* SbDownload
* SbQuery
* SbQuota
* SbUpload
* ScheduleCommand
* ScheduleGenericPolling
* SCPPullFiles
* script-JiraChangeTransition
* script-JiraListTransition
* SearchIncidentsSummary
* SearchIncidentsV2
* SearchIndicator
* SearchIndicatorRelationships
* SearchIndicators
* SecuronixCloseHistoricalXSOARIncidents
* SecuronixGetViolations
* SendAllPANWIoTAssetsToSIEM
* SendAllPANWIoTDevicesToCiscoISE
* SendAllPANWIoTDevicesToServiceNow
* SendEmailOnSLABreach
* SendEmailReply
* SendEmailToCampaignRecipients
* SendEmailToManager
* SendMessageToOnlineUsers
* SendPANWIoTDevicesToCiscoISE
* SEPCheckOutdatedEndpoints
* ServerLogs
* ServerLogs_docker
* ServiceNowApiModule
* ServiceNowCreateIncident
* ServiceNowIncidentStatus
* ServiceNowQueryIncident
* ServiceNowUpdateIncident
* Set
* SetAndHandleEmpty
* SetByIncidentId
* SetDateField
* SetGridField
* SetIfEmpty
* SetIRProceduresMarkdown
* SetMultipleValues
* SetSeverityByScore
* SetTagsBySearch
* SetThreatVaultIncidentMarkdownRepresentation
* SetTime
* SetWithTemplate
* ShowCampaignLastIncidentOccurred
* ShowCampaignRecipients
* ShowCampaignSenders
* ShowCampaignSimilarityRange
* ShowCampaignUniqueRecipients
* ShowIncidentIndicators
* ShowLocationOnMap
* ShowOnMap
* ShowScheduledEntries
* SiemAPIModule
* SimpleDebugger
* SixgillSearchIndicators
* SlackAsk
* SlackAskV2
* SlackBlockBuilder
* Sleep
* SnmpDetection
* SortBy
* SplitCampaignContext
* SplunkCIMFields
* SplunkEmailParser
* SplunkPySearch
* SplunkShowAsset
* SplunkShowDrilldown
* SplunkShowIdentity
* SSDeepReputation
* SSDeepSimilarity
* SSLVerifierV2
* SSLVerifierV2_GenerateEmailBody
* SSLVerifierV2_ParseOutput
* STA-FetchListContent
* STA-PostProcessing
* StaticAnalyze
* StixCreator
* StixParser
* StopScheduledTask
* StopTimeToAssignOnOwnerChange
* StringContainsArray
* StringifyArray
* StringLength
* StringReplace
* Strings
* StringToArray
* StripAccentMarksFromString
* StripChars
* SuggestBranchName
* SummarizeEmailThreads
* TagIndicatorButton
* TaniumFilterComputersByIndexQueryFileDetails
* TAXII2ApiModule
* TextFromHTML
* ThreatstreamBuildIocImportJson
* ThreeDigitAlphaCountryCodeToCountryName
* ticksToTime
* TimeComponents
* TimersOnOwnerChange
* TimeStampCompare
* TimeStampToDate
* TimeToNextShift
* TitaniamFindIncidents
* TitaniamPreProcessRule
* TitaniamProtectField
* TitaniamProtectIncident
* TopMaliciousRatioIndicators
* ToTable
* TransformIndicatorToCSFalconIOC
* TransformIndicatorToMSDefenderIOC
* TrendmicroAlertStatus
* TrendmicroAntiMalwareEventRetrieve
* TrendMicroClassifier
* TrendMicroGetHostID
* TrendMicroGetPolicyID
* TrendmicroHostAntimalwareScan
* TrendmicroHostRetrieveAll
* TrendmicroSecurityProfileAssignToHost
* TrendmicroSecurityProfileRetrieveAll
* TrendmicroSystemEventRetrieve
* TroubleshootGetInstanceParameters
* TroubleshootIsDockerImageExists
* TroubleshootTestInstance
* UnEscapeIPs
* UnEscapeURLs
* UnitTest
* UnitTestCase
* UnitTestCasePrep
* UnitTestCoverage
* UnitTestLoadContext
* UnitTestLoadContextList
* UnitTestLoadFields
* UnitTestLoadFieldsList
* UnitTestMultiSelect
* UnitTestPBAStats
* UnitTestPBATaskAvg
* UnitTestPBATaskMax
* UnitTestPlaybookAnalyzer
* UnitTestResults
* UnitTestSaveContextList
* UnitTestSaveFieldsList
* UnitTestSetField
* UnitTestSubplaybookPrep
* UnPackFile
* UnpublishThreatIntelReport
* UnzipFile
* UnzipGZFile
* UpdateSecuronixIncidentStatus
* UpgradeCheck
* UploadFile
* URLDecode
* URLEncode
* URLNumberOfAds
* URLReputation
* UrlscanGetHttpTransactions
* URLSSLVerification
* UserEnrichAD
* UtilAnyResults
* ValidateContent
* VerifyCIDR
* VerifyEnoughIncidents
* VerifyHumanReadableContains
* VerifyIntegrationHealth
* VerifyIPv4Indicator
* VerifyIPv6Indicator
* VerifyJSON
* VerifyObjectFieldsList
* VersionEqualTo
* VersionGreaterThan
* VersionLessThan
* VolApihooks
* Volatility
* VolConnscan
* VolDlllist
* VolGetProcWithMalNetConn
* VolImageinfo
* VolJson
* VolLDRModules
* VolMalfind
* VolMalfindDumpAgent
* VolNetworkConnections
* VolPSList
* VolRaw
* VolRunCmds
* WaitAndCompleteTask
* WaitForKey
* WebScraper
* WhereFieldEquals
* XBInfo
* XBLockouts
* XBNotable
* XBTimeline
* XBTriggeredRules
* XBUser
* XCloudRegionsPieWidget
* XCloudResourcesPieWidget
* xsoar-ws-parse-context
* XSOARAllEDLCheckerAutomation
* YaraScan
* ZipFile
* ZipStrings
* ZoomApiModule
* ZTAPBuildTimeline
* ZTAPExtractFields
* ZTAPParseFields
* ZTAPParseLinks
* ZTAPViewTimeline
* API Reference
* Demisto Class
* Common Server Python
* Content Release Notes
* 22.2.0
* 22.1.0
* 21.12.1
* 21.12.0
* 21.11.1
* 21.11.0
MICROSOFT TEAMS
THIS INTEGRATION IS PART OF THE MICROSOFT TEAMS PACK.#
Use the Microsoft Teams integration to send messages and notifications to your
team members and create meetings. This integration was integrated and tested
with version 1.0 of Microsoft Teams.
Note::
* The integration has the ability to run built-in Cortex XSOAR commands,
through a mirrored channel. Make sure to pass the command in the chat exactly
as typed in the CORTEX XSOAR CLI. For example: !DeleteContext all=yes. Use
the command mirror-investigation to mirror/create a mirrored channel.
* For use cases where it is only needed to send messages to a specific channel,
we recommend checking the Microsoft Teams via Webhook Integration, which has
a simpler setup.
INTEGRATION ARCHITECTURE#
Data is passed between Microsoft Teams and Cortex XSOAR through the bot that you
will configure in Microsoft Teams. A webhook (that you will configure) receives
the data from Teams and passes it to the messaging endpoint. The web server on
which the integration runs in Cortex XSOAR listens to the messaging endpoint and
processes the data from Teams. You can use an engine for communication between
Teams and the Cortex XSOAR server. In order to mirror messages from Teams to
Cortex XSOAR, the bot must be mentioned, using the @ symbol, in the message.
* Note - In order to avoid mentioning the bot, if this was previously
configured without adding the Bot ID, repeat the authentication flow and pay
particular attention to the following steps:
* Step 14 in Using the App Studio.
* Step 5 in Using the Developer Portal.
The web server for the integration runs within a long-running Docker container.
Cortex XSOAR maps the Docker port to which the server listens, to the host port
(to which Teams posts messages). For more information, see our documentation and
Docker documentation.
PROTOCOL DIAGRAM#
IMPORTANT INFORMATION#
* The messaging endpoint must be one of the following:
* the URL of the Cortex XSOAR server, including the configured port
* the Cortex XSOAR rerouting URL that you've defined for your Microsoft Teams
instance (see the Using Cortex XSOAR rerouting section for more details)
* or a proxy that redirects the messages received from Teams to the Cortex
XSOAR server (see the Using NGINX as reverse proxy section for more
details)
* Microsoft Teams will send events to the messaging endpoints via HTTPS
request, which means the messaging endpoint must be accessible for Microsoft
Teams to reach to it. As follows, the messaging endpoint can not contain
private IP address or any DNS that will block the request from Microsoft
Teams. In order to verify that the messaging endpoint is open as expected,
you can surf to the messaging endpoint from a browser in an environment which
is disconnected from the Cortex XSOAR environment.
* It's important that the port is opened for outside communication and that the
port is not being used, meaning that no service is listening on it.
Therefore, the default port, 443, should not be used.
* For additional security, we recommend placing the Teams integration web
server behind a reverse proxy (such as NGINX).
* By default, the web server that the integration starts provides services in
HTTP. For communication to be in HTTPS you need to provide a certificate and
private key in the following format:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Copy
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Copy
* You must not set a certificate and/or private key if you are using the Cortex
XSOAR rerouting setup.
* Microsoft does not support self-signed certificates and requires a
chain-trusted certificate issued by a trusted CA. In order to verify which
certificate is used, run the following (replace {MESSAGING-ENDPOINT} with the
messaging endpoint):
curl {MESSAGING-ENDPOINT} -vI
Copy
Make sure the output does not contain the following:
Copy
curl: (60) SSL certificate problem: self signed certificate
Copy
* The following domains are used by this integration:
* microsoft.com
* botframework.com
* microsoftonline.com
SETUP EXAMPLES#
1. USING CORTEX XSOAR REROUTING#
In this configuration, we will use Cortex XSOAR functionality, which reroutes
HTTPS requests that hit the default port (443) to the web server that the
integration spins up.
The messaging endpoint needs to be:
<CORTEX-XSOAR-URL>/instance/execute/<INTEGRATION-INSTANCE-NAME>, e.g.,
https://my.demisto.live/instance/execute/teams
The integration instance name, teams in this example, needs to be configured in
the Configure Microsoft Teams on Cortex XSOAR step.
The port to be configured in Configure Microsoft Teams on Cortex XSOAR step
should be any available port that is not used by another service.
In addition, make sure Instance execute external is enabled.
1. In Cortex XSOAR, go to Settings > About > Troubleshooting.
2. In the Server Configuration section, verify that the
instance.execute.external.\<INTEGRATION-INSTANCE-NAME>
(instance.execute.external.teams in this example) key is set to true. If
this key does not exist, click + Add Server Configuration and add the
instance.execute.external.\<INTEGRATION-INSTANCE-NAME> and set the value to
true. See the following reference article for further information.
* Note: This option is available from Cortex XSOAR v5.5.0 and later.
2. USING NGINX AS REVERSE PROXY#
In this configuration, the inbound connection, from Microsoft Teams to Cortex
XSOAR, goes through a reverse proxy (e.g. NGINX) which relays the HTTPS requests
posted from Microsoft Teams to the Cortex XSOAR server on HTTP.
On NGINX, configure the following:
* SSL certificate under ssl_certificate and ssl_certificate_key
* The Cortex XSOAR server (including the port) under proxy_pass, e.g.
http://mydemistoinstance.com:7000
Follow Configuring Upstream Servers NGINX guide for more details.
The port (7000 in this example), to which the reverse proxy should forward the
traffic on HTTP, should be the same port you specify in the integration instance
configuration, as the web server the integration spins up, listens on that port.
3. USING APACHE REVERSE PROXY AND CORTEX XSOAR ENGINE#
In this configuration, the inbound connection, from Microsoft Teams to Cortex
XSOAR, goes through a reverse proxy (e.g., Apache) and possibly a load balancer,
which relays the HTTPS requests posted from Microsoft Teams to a Cortex XSOAR
engine, which can be put in a DMZ, on HTTP.
The port (7000 in this example), to which the reverse proxy should forward the
traffic on HTTP, should be the same port you specify in the integration instance
configuration, as the web server the integration spins up, listens on that port.
4. USING CLOUDFLARE#
In this configuration, we will use Cloudflare proxy.
The messaging endpoint should be the Cortex XSOAR URL, which need to be hosted
on Cloudflare, with the port to which Cloudflare proxy directs the HTTPS
traffic, e.g. https://mysite.com:8443
In the Configure Microsoft Teams on Cortex XSOAR step, the following need to be
configured:
* The port selected above.
* A certificate and key for configuring HTTPS web server. This certificate can
be self-signed.
The proxy intercepts HTTPS traffic, presents a public CA certificate, then
proxies it to the web server.
All HTTPS traffic that will hit the selected messaging endpoint will be directed
to the HTTPS web server the integration spins up, and will then be processed.
SETUP VIDEO#
Sorry, your browser doesn't support embedded videos. You can download the video
at:
https://github.com/demisto/content-assets/blob/master/Assets/MicrosoftTeams/FullConfigVideo.mov?raw=true
OLD SETUP VIDEO (USE THE ABOVE VIDEO)#
Sorry, your browser doesn't support embedded videos. You can download the video
at:
https://github.com/demisto/content-assets/raw/845c0d790ceb4fbac08c5c7852b2a3bed0829778/Assets/MicrosoftTeams/config.mp4
PREREQUISITES#
Before you can create an instance of the Microsoft Teams integration in Cortex
XSOAR, you need to complete the following procedures.
1. Create the Demisto Bot in Microsoft Teams
2. Grant the Demisto Bot Permissions in Microsoft Graph
3. Configure Microsoft Teams on Cortex XSOAR
4. Add the Demisto Bot to a Team
NOTE: MICROSOFT APP STUDIO IS BEING PHASED OUT AND WILL BE DEPRECATED ON JANUARY
1, 2022. IT IS REPLACED BY MICROSOFT DEVELOPER PORTAL. STEPS 1 AND 4 DIFFER IF
USING THE APP STUDIO OR THE DEVELOPER PORTAL.#
CREATE THE DEMISTO BOT IN MICROSOFT TEAMS#
CREATING THE DEMISTO BOT FOR PRODUCTION ENVIRONMENT USING MICROSOFT AZURE PORTAL
(RECOMMENDED)#
1. Navigate to the Create an Azure Bot page.
2. In the Bot Handle field, type Demisto Bot.
3. Fill in the required Subscription and Resource Group, relevant links:
Subscription, Resource Groups.
4. For Type of App, select Multi Tenant.
5. For Creation type, select Create new Microsoft App ID for Creation Type if
you don't already have an app registration, otherwise, select Use existing
app registration, and fill in you App ID.
6. Click Review + Create, and wait for the validation to pass.
7. Click create if the validation has passed, and wait for the deployment to
finish.
8. Under Next Steps, click Go to resource.
9. Navigate to Configuration on the left bar, and fill in the Messaging
Endpoint.
10. Store the Microsoft App ID value for the next steps, and navigate to Manage
next to it.
11. Click New Client Secret, fill in the Description and Expires fields as
desired. Then click Add.
12. Copy the client secret from the value field and store it for the next
steps.
13. Go back to the previous page, and navigate to Channels in the left bar.
14. Click Microsoft Teams under Available Channels, click the checkbox, click
Agree, then click Apply.
Note: in step 5, if you choose Use existing app registration, make sure to
delete the previous created bot with the same app id, remove it from the team it
was added to as well.
CREATING THE DEMISTO BOT FOR DEVELOPMENT ENVIRONMENT USING THE DEVELOPER PORTAL
(RECOMMENDED TO USE AZURE PORTAL METHOD MENTIONED ABOVE, THIS METHOD WILL BE
REMOVED SOON)#
1. Navigate to the Tools in the Microsoft Developer Portal.
2. Navigate to Bot management.
3. Click the +New Bot button.
4. Fill in Demisto Bot in the prompt, click the Add button, and wait a few
seconds until the bot is created.
5. Record the Bot ID of Demisto Bot for the next steps.
6. Click on the line where Demisto Bot shows under the Bot Name.
7. Navigate to Configure and fill in the Bot endpoint address.
8. Navigate to Client Secrets and click the Add a client secret for your bot
button, and wait a few seconds to allow the secret to be generated.
9. Store the generated secret securely for the next steps.
USING THE APP STUDIO FOR DEVELOPMENT ENVIRONMENT (DEPRECATED - USE DEVELOPER
PORTAL INSTEAD.)#
1. Download the ZIP file located at the bottom of this article.
2. In Microsoft Teams, access the Store.
3. Search for and click App Studio.
4. Click the Open button.
5. For the Bot option, click Open.
6. Click the Manifest editor tab.
7. Click the Import an existing app button, and select the ZIP file that you
downloaded.
8. Click the app widget, and in the Identification section, click the Generate
button to generate a unique App ID. The following parameters are
automatically populated in the ZIP file, use this information for reference.
* Short name: Demisto Bot
* App ID: the App ID for configuring in Cortex XSOAR.
* Package name: demisto.bot (this is a unique identifier for the app in the
Store)
* Version: 1.0.0 (this is a unique identifier for the app in the Store)
* Short description: Mechanism for mirroring between Cortex XSOAR and Microsoft
Teams.
* Long description: Demisto Bot is the mechanism that enables messaging team
members and channels, executing Cortex XSOAR commands directly from Teams,
and mirroring investigation data between Cortex XSOAR and Microsoft Teams
9. From the left-side navigation pane, under Capabilities, click Bots > Set
up.
10. Configure the settings under the Scope section, and click Create bot.
* In the Name field, enter Demisto Bot.
* In the Scope section, select the following checkboxes: Personal, Team, and
Group Chat.
11. Record the Bot ID, which you will need when configuring the integration in
Cortex XSOAR.
12. Click Generate new password. Record the password, which you will need when
configuring the integration in Cortex XSOAR.
13. In the Messaging endpoints section, enter the URL to which messages will be
sent (to the Demisto Bot).
* To enable calling capabilities on the Bot enter the same URL to the Calling
endpoints section.
14. In the Domain and permissions section, under AAD App ID enter the Bot ID.
15. From the left-side navigation pane, under Finish, click Test and
distribute.
16. To download the new bot file, which now includes App Details, click
Download.
17. Navigate to Store, and click Upload a custom app > Upload for
ORGANIZATION-NAME, and select the ZIP file you downloaded.
IN ORDER TO CONNECT TO THE AZURE NETWORK SECURITY GROUPS USE ONE OF THE
FOLLOWING METHODS:#
1. Client Credentials Flow
2. Authorization Code Flow
CLIENT CREDENTIALS FLOW#
GRANT THE DEMISTO BOT PERMISSIONS IN MICROSOFT GRAPH#
1. Go to your Microsoft Azure portal, and from the left navigation pane select
Azure Active Directory > App registrations.
2. Search for and click Demisto Bot.
3. Click API permissions > Add a permission > Microsoft Graph > Application
permissions.
4. For the following permissions, search for the permission, select the
checkbox, and click Add permissions.
* User.Read.All
* Group.ReadWrite.All
* Calls.Initiate.All
* Calls.InitiateGroupCall.All
* OnlineMeetings.ReadWrite.All
* ChannelMember.ReadWrite.All
* Channel.Create
5. Verify that all permissions were added, and click Grant admin consent for
Demisto.
6. When prompted to verify granting permissions, click Yes, and verify that
permissions were successfully added.
AUTHENTICATION USING THE CLIENT CREDENTIALS FLOW#
1. Choose the 'Client Credentials' option in the Authentication Type parameter.
2. Enter your Client/Application ID in the Bot ID parameter.
3. Enter your Client Secret in the Bot Password parameter.
4. Save the instance.
AUTHORIZATION CODE FLOW#
GRANT THE DEMISTO BOT PERMISSIONS IN MICROSOFT GRAPH#
1. Go to your Microsoft Azure portal, and from the left navigation pane select
Azure Active Directory > App registrations.
2. Search for and click Demisto Bot.
3. Click API permissions > Add a permission > Microsoft Graph > Application
permissions.
4. For the following permissions, search for the permission, select the
checkbox and click Add permissions.
REQUIRED APPLICATION PERMISSIONS:#
* User.Read.All
* Group.ReadWrite.All
* OnlineMeetings.ReadWrite.All
* ChannelMember.ReadWrite.All
* Channel.Create
* Chat.Create
REQUIRED DELEGATED PERMISSIONS:#
* ChannelMessage.Send
* Chat.ReadWrite
* ChatMessage.Send
* Group.ReadWrite.All
* Channel.Create
* ChannelSettings.ReadWrite.All
* ChatMember.ReadWrite
* Chat.Create
5. Verify that all permissions were added, and click Grant admin consent for
Demisto.
6. When prompted to verify granting permissions, click Yes, and verify that
permissions were successfully added.
7. Click Expose an API and add Application ID URI
8. Click Expose an API > Add a scope >
* Chat.ReadWrite
* ChatMessage.Send
* ChannelSettings.ReadWrite.All
* ChannelMember.Read.All
9. Click Authentication > Platform configurations > Add a platform. Choose Web
and add Redirect URIs:
https://login.microsoftonline.com/common/oauth2/nativeclient
AUTHENTICATION USING THE AUTHORIZATION CODE FLOW#
1. Choose the 'Authorization Code' option in the Authentication Type parameter.
2. Enter your Client/Application ID in the Bot ID parameter.
3. Enter your Client Secret in the Bot Password parameter.
4. Enter your Application redirect URI in the Application redirect URI
parameter.
5. Copy the following URL and replace the TENANT_ID, CLIENT_ID and REDIRECT_URI
with your own client ID and redirect URI, accordingly.
https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=12345.
When prompted, accept the Microsoft authorization request for the required
permissions. You will be automatically redirected to a link with the
following structure:
REDIRECT_URI?code=AUTH_CODE&state=12345&session_state=SESSION_STATE
6. Copy the AUTH_CODE (without the “code=” prefix) and paste it in your
instance configuration under the Authorization code parameter.
7. Save the instance.
8. Run the !microsoft-teams-auth-test command. A 'Success' message should be
printed to the War Room.
CONFIGURE MICROSOFT TEAMS ON CORTEX XSOAR#
1. Navigate to Settings > Integrations > Servers & Services.
2. Search for Microsoft Teams.
3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequiredNameThe integration instance name.
If using Cortex XSOAR rerouting configuration, insert here the instance name
you configured in the messaging endpoint.TrueBot IDBot ID.TrueBot
PasswordBot Password.TrueTenant IDFalseAuthentication TypeTrueApplication
redirect URI (for Authorization Code mode)FalseAuthorization codeFor
Authorization Code flow mode. Received from the authorization step. See the
Detailed Instructions (?) sectionFalseDefault teamThe team to which messages
and notifications are sent. If a team is specified as a command argument, it
overrides this parameter.TrueNotifications channelTrueCertificate (Required
for HTTPS)FalsePrivate Key (Required for HTTPS)FalseMinimum incident
severity to send notifications to Teams byFalseDisable Automatic
NotificationsWhether to disable automatic notifications to the configured
notifications channel.FalseAllow external users to create incidents via
direct messageFalseThe header of an external form hyperlink.FalseTrust any
certificate (not secure)FalseUse system proxy settingsFalseLong running
instanceFalseListen port, e.g., 7000 (Required for investigation mirroring
and direct messages)longRunningPortFalseIncident typeIncident type.False
4. Click Test to validate the URLs, token, and connection.
5. Click the Save & exit button.
ADD THE DEMISTO BOT TO A TEAM#
* Note: the following need to be done after configuring the integration on
Cortex XSOAR (the previous step).
USING THE DEVELOPER PORTAL#
1. Download the ZIP file located at the bottom of this article.
2. Uncompress the ZIP file. You should see 3 files (manifest.json, color.png
and outline.png).
3. Open the manifest.json file that was extracted from the ZIP file.
4. In the id, replace the value of the attribute with the value of the Bot ID
from step 5 of the Create the Demisto Bot in Microsoft Teams section.
5. In the bots list, replace the value of the botId attribute with the value
of the Bot ID from step 5 of the Create the Demisto Bot in Microsoft Teams
section.
6. In the webApplicationInfo, replace the value of id attribute with the value
of the Bot ID from step 5 of the Create the Demisto Bot in Microsoft Teams
section.
7. Compress the 3 files (the modified manifest.json file, color.png and
outline.png).
8. Navigate to Manage Apps in the Microsoft Teams admin center.
9. Click the +Upload button.
10. In the pop-up window, click the Upload button.
11. Browse for the ZIP file you created in step 5, open it, and wait a few
seconds until it loads.
12. Search for Demisto Bot.
13. In the line where Demisto Bot shows under Name, tick the V on the left.
14. Click the Add to team button.
15. In the search box, type the name of the team to which you want to add the
bot.
16. Click the Add button on the wanted team and then click the Apply button.
USING THE APP STUDIO (DEPRECATED - USE DEVELOPER PORTAL INSTEAD.)#
1. In Microsoft Teams, access the Store.
2. Search for Demisto Bot and click the Demisto Bot widget.
3. Click the arrow on the Open button and select Add to a team.
4. In the search box, type the name of the team to which to add the bot.
5. Click Set up and configure the new app.
KNOWN LIMITATIONS#
--------------------------------------------------------------------------------
* In some cases, you might encounter a problem, where no communication is
created between Teams and the messaging endpoint, when adding a bot to the
team. You can work around this problem by adding any member to the team the
bot was added to. It will trigger a communication and solve the issue.
* The microsoft-teams-ring-user command is only supported when using the Client
Credentials flow due to a limitation in Microsoft's permissions system.
* In addition, the chat commands are only supported when using the
Authorization Code flow.
* Posting a message or adaptive card to a private/shared channel is currently
not supported in the send-notification command. Thus, also the
mirror_investigation command does not support private/shared channels. For
more information, see Microsoft General known issues and limitations.
* In case of multiple chats/users sharing the same name, the first one will be
taken.
* See Microsoft documentation for Limits and specifications for Microsoft
Teams.
* If a non-Cortex XSOAR user ran the new incident command in the chat with the
bot, the owner of the created incident would be the logged in Cortex XSOAR
user, not the external user who ran the command.
COMMANDS#
You can execute these commands from the Cortex XSOAR CLI, as part of an
automation, or in a playbook. After you successfully execute a command, a DBot
message appears in the War Room with the command details.
SEND-NOTIFICATION#
--------------------------------------------------------------------------------
Sends a message to the specified teams. To mention a user in the message, add a
semicolon ";" at the end of the user mention. For example: @Bruce Willis;
BASE COMMAND#
send-notification
REQUIRED PERMISSIONS#
Group.Read.All
INPUT#
Argument NameDescriptionRequiredchannelThe channel to which to send messages.
Supports only standard channels.OptionalmessageThe message to send to the
channel or team member.Optionalteam_memberDisplay name or email address of the
team member to send the message to.OptionalteamThe team in which the specified
channel exists. The team must already exist, and this value will override the
default channel configured in the integration
parameters.Optionaladaptive_cardThe Microsoft Teams adaptive card to
send.OptionaltoThe team member to which to send the
message.Optionalexternal_form_url_headerThe header of an external form
hyperlink.message.Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!sent-notification channel=General message="hello world!" team=DemistoTeam
HUMAN READABLE OUTPUT#
Message was sent successfully.
MIRROR-INVESTIGATION#
--------------------------------------------------------------------------------
Mirrors the Cortex XSOAR investigation to the specified Microsoft Teams channel.
Supports only standard channels.
Note: Mirrored channels could be used to run Cortex XSOAR built-in commands.
BASE COMMAND#
mirror-investigation
REQUIRED PERMISSIONS#
Group.ReadWrite.All
INPUT#
Argument NameDescriptionRequiredmirror_typeThe mirroring type. Can be "all",
which mirrors everything, "chat", which mirrors only chats (not commands), or
"none", which stops all mirroring. Possible values are: all, chat, none. Default
is all.OptionalautocloseWhether to auto-close the channel when the incident is
closed in Cortex XSOAR. If "true", the channel will be auto-closed. Possible
values are: true, false. Default is true.OptionaldirectionThe mirroring
direction. Possible values are: Both, FromDemisto, ToDemisto. Default is
both.OptionalteamThe team in which to mirror the Cortex XSOAR investigation. If
not specified, the default team configured in the integration parameters will be
used.Optionalchannel_nameThe name of the channel. The default is
"incident-INCIDENTID".Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!mirror-investigation mirror_type=all autoclose=true direction=Both
HUMAN READABLE OUTPUT#
Investigation mirrored successfully in channel incident-100.
DELETE A CHANNEL#
--------------------------------------------------------------------------------
Deletes the specified Microsoft Teams channel.
BASE COMMAND#
close-channel
REQUIRED PERMISSIONS#
Group.ReadWrite.All
INPUT#
Argument NameDescriptionRequiredchannelThe name of the channel to
close.OptionalteamThe channel's team.Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!close-channel channel="example channel"
HUMAN READABLE OUTPUT#
Channel was successfully closed.
GET INFORMATION ON THE INTEGRATION STATUS#
--------------------------------------------------------------------------------
Returns real-time and historical data on the integration status.
BASE COMMAND#
microsoft-teams-integration-health
INPUT#
There are no input arguments for this command.
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-integration-health
HUMAN READABLE OUTPUT#
MICROSOFT API HEALTH#
Bot Framework API HealthGraph API HealthOperationalOperational
No mirrored channels.
RING A USER'S TEAM ACCOUNT#
--------------------------------------------------------------------------------
Rings a user's Teams account. Note: This is a ring only! no media will play in
case the generated call is answered. To use this make sure your Bot has the
following permissions - Calls.Initiate.All and Calls.InitiateGroupCall.All
BASE COMMAND#
microsoft-teams-ring-user
REQUIRED PERMISSIONS#
Calls.Initiate.All Calls.InitiateGroupCall.All
INPUT#
Argument NameDescriptionRequiredusernameThe display name of the member to
call.Required
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-ring-user username="Avishai Brandeis"
HUMAN READABLE OUTPUT#
Calling Avishai Brandeis
ADD A USER TO A CHANNEL#
--------------------------------------------------------------------------------
Adds a member (user) to a private/shared channel. For a comparison of Teams
features for each channel type, see the Microsoft documentation: Channel feature
comparison.
BASE COMMAND#
microsoft-teams-add-user-to-channel
REQUIRED PERMISSIONS#
User.Read.All ChannelMember.ReadWrite.All
INPUT#
Argument NameDescriptionRequiredchannelThe channel to which to add the
member.RequiredteamThe channel's team.RequiredmemberThe display name of the
member to add to the channel.RequiredownerWhether to add the member with the
owner role. Default is 'false'Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-add-user-to-channel channel="example channel" member=itayadmin
team=DemistoTeam
HUMAN READABLE OUTPUT#
The User "itayadmin" has been added to channel "example channel" successfully.
CREATE A CHANNEL#
--------------------------------------------------------------------------------
Creates a new channel in a Microsoft Teams team. For more information about the
channels types, see the Microsoft documentation: standard, private, or shared
channels See also Channel feature comparison.
BASE COMMAND#
microsoft-teams-create-channel
REQUIRED PERMISSIONS#
Group.ReadWrite.All Channel.Create
INPUT#
Argument NameDescriptionRequiredchannel_nameThe name of the
channel.RequireddescriptionThe description of the channel.OptionalteamThe team
in which to create the channel.Requiredmembership_typeThe type of the channel.
Possible values are: private, standard, shared. Default is
standard.Optionalowner_userThe channel owner (Display name/mail/UPN)Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-create-channel channel_name="example channel" team=DemistoTeam
description="this is my new channel"
HUMAN READABLE OUTPUT#
The channel "example channel" was created successfully
CREATE A MEETING#
--------------------------------------------------------------------------------
Creates a new meeting in Microsoft Teams.
BASE COMMAND#
microsoft-teams-create-meeting
REQUIRED PERMISSIONS#
OnlineMeetings.ReadWrite.All Besides setting up this permission, in order to
create a meeting, the Azure admin needs to configure application access policy
and grant users permissions to create meetings. The script
ConfigureAzureApplicationAccessPolicy was created to support the needed
commands. For more information: Allow applications to access online meetings on
behalf of a user
INPUT#
Argument NameDescriptionRequiredstart_timeThe meeting start time in ISO 8601
format e.g., "2019-07-12T14:30:34.2444915-07:00".Optionalend_timeThe meeting end
time in ISO 8601 format e.g.,
"2019-07-12T14:30:34.2444915-07:00".OptionalsubjectThe meeting
subject.RequiredmemberDisplay name/mail/UPN of user who created the meeting,
e.g., Adam Smith.Required
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.CreateMeeting.creationDateTimeDateMeeting
creation time.MicrosoftTeams.CreateMeeting.threadIdStringMeeting thread
ID.MicrosoftTeams.CreateMeeting.messageIdStringMeeting message
ID.MicrosoftTeams.CreateMeeting.idStringMeeting
ID.MicrosoftTeams.CreateMeeting.joinWebUrlStringThe URL to join the
meeting.MicrosoftTeams.CreateMeeting.participantIdStringThe meeting
participants.MicrosoftTeams.CreateMeeting.participantDisplayNameStringThe
display name of the participants.
COMMAND EXAMPLE#
!microsoft-teams-create-meeting member="example user" subject="Important
meeting"
HUMAN READABLE OUTPUT#
The meeting "Important meeting" was created successfully
MICROSOFT-TEAMS-USER-REMOVE-FROM-CHANNEL#
--------------------------------------------------------------------------------
Removes a member (user) from a private/shared channel.
BASE COMMAND#
microsoft-teams-user-remove-from-channel
REQUIRED PERMISSIONS#
ChannelMember.ReadWrite.All - Application
INPUT#
Argument NameDescriptionRequiredchannel_nameThe name of the
channel.RequiredteamThe name of the channel's team.RequiredmemberThe display
name of the member to remove from the channel.Required
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-user-remove-from-channel channel_name="example channel"
member=itayadmin team=DemistoTeam
HUMAN READABLE OUTPUT#
The User "itayadmin" has been removed from channel "example channel"
successfully.
MICROSOFT-TEAMS-CHANNEL-USER-LIST#
--------------------------------------------------------------------------------
Retrieves a list of members from a channel.
BASE COMMAND#
microsoft-teams-channel-user-list
REQUIRED PERMISSIONS#
ChannelMember.Read.All - Application ChannelMember.ReadWrite.All - Application
INPUT#
Argument NameDescriptionRequiredchannel_nameThe name of the
channel.RequiredteamThe name of the channel's team.Required
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChannelList.channelIdStringThe channel
ID.MicrosoftTeams.ChannelList.channelNameStringThe name of the
channel.MicrosoftTeams.ChannelList.members.displayNameStringThe display name of
the members.MicrosoftTeams.ChannelList.members.emailStringThe email of the
members.MicrosoftTeams.ChannelList.members.idStringThe ID of the
members.MicrosoftTeams.ChannelList.members.rolesStringThe roles of the
members.MicrosoftTeams.ChannelList.members.tenantIdStringThe tenant ID of the
members.MicrosoftTeams.ChannelList.members.userIdStringThe user ID of the
members.MicrosoftTeams.ChannelList.members.visibleHistoryStartDateTimeStringThe
timestamp denoting how far back a conversation's history is shared with the
conversation member.
COMMAND EXAMPLE#
!microsoft-teams-channel-user-list channel_name="example channel"
team=DemistoTeam
HUMAN READABLE OUTPUT#
CHANNEL 'EXAMPLE CHANNEL' MEMBERS LIST:#
User IdEmailTenant IdMembership idUser rolesDisplay NameStart
DateTime359d2c3c-162b-414c-b2eq-386461e5l050test@gmail.compbae9ao6-01ql-249o-5me3-4738p3e1m941MmFiOWM3OTYtMjkwMi00NWY4LWI3MTItN2M1YTYzY2Y0MWM0IyNlZWY5Y2IzNi0wNmRlLTQ2OWItODdjZC03MGY0Y2JlMzJkMTQ=owneritayadmin0001-01-01T00:00:00Z
MICROSOFT-TEAMS-CHAT-CREATE#
--------------------------------------------------------------------------------
Creates a new chat. Note: Only one oneOnOne chat can exist between two members.
If a oneOnOne chat already exists, it will be returned.
BASE COMMAND#
microsoft-teams-chat-create
REQUIRED PERMISSIONS#
Chat.Create - Delegated, Application Chat.ReadWrite - Delegated
TeamsAppInstallation.ReadWriteForChat - Delegated
TeamsAppInstallation.ReadWriteSelfForChat - Delegated
TeamsAppInstallation.ReadWriteSelfForChat.All - Application
TeamsAppInstallation.ReadWriteForChat.All - Application
INPUT#
Argument NameDescriptionRequiredchat_typeSpecifies the type of chat. Possible
values are: group, oneOnOne. Default is group.RequiredmemberDisplay
name/mail/UPN of user that should be added to the chat. Can be an
array.Optionalchat_nameThe title of the chat. The chat title can be provided
only if the chat is of group type.Optional
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChatList.chatIdStringThe chat's unique
identifier.MicrosoftTeams.ChatList.topicStringSubject or topic for the chat.
Only available for group chats.MicrosoftTeams.ChatList.createdDateTimeStringDate
and time at which the chat was
created.MicrosoftTeams.ChatList.lastUpdatedDateTimeStringDate and time at which
the chat was renamed or list of members were last
changed.MicrosoftTeams.ChatList.chatTypeStringSpecifies the type of
chat.MicrosoftTeams.ChatList.webUrlStringThe URL for the chat in Microsoft
Teams. The URL should be treated as an opaque blob, and not
parsed.MicrosoftTeams.ChatList.tenantIdStringThe identifier of the tenant in
which the chat was created.MicrosoftTeams.ChatList.viewpointStringRepresents
caller-specific information about the chat, such as last message read date and
time.MicrosoftTeams.ChatList.onlineMeetingInfoStringRepresents details about an
online meeting. If the chat isn't associated with an online meeting, the
property is empty.
COMMAND EXAMPLE#
!microsoft-teams-chat-create chat_type=group member="itayadmin, Bruce Willis"
chat_name="example chat"
HUMAN READABLE OUTPUT#
THE CHAT 'EXAMPLE CHAT' WAS CREATED SUCCESSFULLY#
Chat IdChat nameCreated Date TimeLast Updated Date TimewebUrlTenant
Id19:2da4c29f6d7041eca70b638b43d45437@thread.v2example
chat2023-01-08T07:51:53.07Z2023-01-08T07:51:53.07ZwebUrlpbae9ao6-01ql-249o-5me3-4738p3e1m941
MICROSOFT-TEAMS-MESSAGE-SEND-TO-CHAT#
--------------------------------------------------------------------------------
Sends a new chat message in the specified chat.
BASE COMMAND#
microsoft-teams-message-send-to-chat
REQUIRED PERMISSIONS#
ChatMessage.Send - Delegated Chat.ReadWrite - Delegated
TeamsAppInstallation.ReadWriteForChat - Delegated
TeamsAppInstallation.ReadWriteSelfForChat - Delegated
TeamsAppInstallation.ReadWriteSelfForChat.All - Application
TeamsAppInstallation.ReadWriteForChat.All - Application
INPUT#
Argument NameDescriptionRequiredchatThe chat ID / group chat name (topic) /
oneOnOne member (Display name/mail/UPN).RequiredcontentThe content of the chat
message.Requiredcontent_typeThe message content type. Possible values are: text,
html. Default is text.Optionalmessage_typeThe type of chat message. Default is
message.Optional
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChatList.chatIdStringThe chat's unique
identifier.MicrosoftTeams.ChatList.messages.idStringUnique ID of the
message.MicrosoftTeams.ChatList.messages.replyToIdStringID of the parent chat
message or root chat message of the
thread.MicrosoftTeams.ChatList.messages.etagStringVersion number of the chat
message.MicrosoftTeams.ChatList.messages.messageTypeStringThe type of chat
message.MicrosoftTeams.ChatList.messages.createdDateTimeStringTimestamp of when
the chat message was
created.MicrosoftTeams.ChatList.messages.lastModifiedDateTimeStringTimestamp
when the chat message is created (initial setting) or modified, including when a
reaction is added or
removed.MicrosoftTeams.ChatList.messages.lastEditedDateTimeStringTimestamp when
edits to the chat message were made. Triggers an "Edited" flag in the Teams UI.
If no edits are made the value is
null.MicrosoftTeams.ChatList.messages.deletedDateTimeStringTimestamp at which
the chat message was deleted, or null if not
deleted.MicrosoftTeams.ChatList.messages.subjectStringThe subject of the chat
message, in plaintext.MicrosoftTeams.ChatList.messages.summaryStringSummary text
of the chat message that could be used for push notifications and summary views
or fall back views.MicrosoftTeams.ChatList.messages.chatIdStringIf the message
was sent in a chat, represents the identity of the
chat.MicrosoftTeams.ChatList.messages.importanceStringThe importance of the chat
message.MicrosoftTeams.ChatList.messages.localeStringLocale of the chat message
set by the client.MicrosoftTeams.ChatList.messages.webUrlStringLink to the
message in Microsoft
Teams.MicrosoftTeams.ChatList.messages.channelIdentityStringIf the message was
sent in a channel, represents identity of the
channel.MicrosoftTeams.ChatList.messages.policyViolationStringDefines the
properties of a policy violation set by a data loss prevention (DLP)
application.MicrosoftTeams.ChatList.messages.eventDetailStringIf present,
represents details of an event that happened in a chat, a channel, or a team,
for example, adding new
members.MicrosoftTeams.ChatList.messages.fromStringDetails of the sender of the
chat message.MicrosoftTeams.ChatList.messages.bodyStringPlaintext/HTML
representation of the content of the chat message. Representation is specified
by the contentType inside the
body.MicrosoftTeams.ChatList.messages.attachmentsStringReferences to attached
objects like files, tabs, meetings
etc.MicrosoftTeams.ChatList.messages.mentionsStringList of entities mentioned in
the chat message.MicrosoftTeams.ChatList.messages.reactionsStringReactions for
this chat message (for example, Like).
COMMAND EXAMPLE#
!microsoft-teams-message-send-to-chat chat="example chat" content="Hello World"
HUMAN READABLE OUTPUT#
MESSAGE WAS SENT SUCCESSFULLY IN THE 'EXAMPLE CHAT' CHAT.#
Chat IdCreated DateTimeEtagFrom userFrom user idFrom user
userIdentityTypeImportanceMessage ContentMessage TypeMessage contentTypeMessage
idlastModified
DateTime19:2da4c29f6d7041eca70b638b43d45437@thread.v22021-03-29T04:17:43.15Z1616991463150itayadmin8ea0e38b-efb3-4757-924a-5f94061cf8c2aadUsernormalHello
Worldmessagetext16169914631502021-03-29T04:17:43.15Z
MICROSOFT-TEAMS-CHAT-ADD-USER#
--------------------------------------------------------------------------------
Adds a member (user) to a group chat.
BASE COMMAND#
microsoft-teams-chat-add-user
REQUIRED PERMISSIONS#
ChatMember.ReadWrite - Delegated Chat.ReadWrite - Delegated
INPUT#
Argument NameDescriptionRequiredchatThe chat ID or group chat name (topic) to
which to add the member.RequiredmemberDisplay name/mail/UPN of user that should
be added to the chat. Can be an array.Requiredshare_historyWhether to share the
whole history of the chat. Possible values are: true, false. Default is
True.Optional
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-chat-add-user chat="example chat" member="Bruce Willis"
share_history=false
HUMAN READABLE OUTPUT#
The User "Bruce Willis" has been added to chat "example chat" successfully.
MICROSOFT-TEAMS-CHAT-MEMBER-LIST#
--------------------------------------------------------------------------------
Retrieves a list of members from a chat.
BASE COMMAND#
microsoft-teams-chat-member-list
REQUIRED PERMISSIONS#
Chat.ReadWrite - Delegated ChatMember.ReadWrite - Delegated
INPUT#
Argument NameDescriptionRequiredchatThe chat ID / group chat name (topic) /
oneOnOne Member (Display name/mail/UPN).Required
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChatList.chatIdStringThe chat's unique
identifier.MicrosoftTeams.ChatList.members.displayNameStringThe display name of
the members.MicrosoftTeams.ChatList.members.emailStringThe email of the
members.MicrosoftTeams.ChatList.members.idStringThe ID of the
members.MicrosoftTeams.ChatList.members.rolesStringThe roles of the
members.MicrosoftTeams.ChatList.members.tenantIdStringThe tenant ID of the
members.MicrosoftTeams.ChatList.members.userIdStringThe user ID of the
members.MicrosoftTeams.ChatList.members.visibleHistoryStartDateTimeStringThe
timestamp denoting how far back a conversation's history is shared with the
conversation member.
COMMAND EXAMPLE#
!microsoft-teams-chat-member-list chat="example chat"
HUMAN READABLE OUTPUT#
CHAT "EXAMPLE CHAT" MEMBERS LIST:#
User IdUser rolesNameEmailTenant
Id359d2c3c-162b-414c-b2eq-386461e5l050owneritayadmintest@gmail.comdcd219dd-bc68-4b9b-bf0b-4a33a796be3548d31887-5fad-4d73-a9f5-3c356e68a038ownerBruce
Willistest@gmail.comdcd219dd-bc68-4b9b-bf0b-4a33a796be35
MICROSOFT-TEAMS-CHAT-LIST#
--------------------------------------------------------------------------------
Retrieves a list of chats that the user is part of. If 'chat' is specified -
retrieves this chat only.
BASE COMMAND#
microsoft-teams-chat-list
REQUIRED PERMISSIONS#
Chat.ReadWrite - Delegated
INPUT#
Argument NameDescriptionRequiredchatThe chat ID / group chat name (topic) /
oneOnOne member (Display name/mail/UPN).OptionalfilterFilters results. For
example: topic eq 'testing'. For more query examples, see
https://learn.microsoft.com/en-us/graph/filter-query-parameter?tabs=http.OptionalexpandExpands
the results to include members or lastMessagePreview properties. Possible values
are: members, lastMessagePreview.OptionallimitThe number of results to retrieve.
Default is 50.Optionalnext_linkA link that specifies a starting point to use for
subsequent calls.Optionalpage_sizeNumber of results to return per page. Default
is 50.Optional
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChatList.chatIdStringThe chat's unique
identifier.MicrosoftTeams.ChatList.topicStringSubject or topic for the chat.
Only available for group chats.MicrosoftTeams.ChatList.createdDateTimeStringDate
and time at which the chat was
created.MicrosoftTeams.ChatList.lastUpdatedDateTimeStringDate and time at which
the chat was renamed or list of members were last
changed.MicrosoftTeams.ChatList.chatTypeStringSpecifies the type of
chat.MicrosoftTeams.ChatList.webUrlStringThe URL for the chat in Microsoft
Teams. The URL should be treated as an opaque blob, and not
parsed.MicrosoftTeams.ChatList.tenantIdStringThe identifier of the tenant in
which the chat was created.MicrosoftTeams.ChatList.viewpointStringRepresents
caller-specific information about the chat, such as last message read date and
time.MicrosoftTeams.ChatList.onlineMeetingInfoStringRepresents details about an
online meeting. If the chat isn't associated with an online meeting, the
property is empty.MicrosoftTeams.ChatListNextLinkStringUsed if an operation
returns partial results. If a response contains a NextLink element, its value
specifies a starting point to use for subsequent calls.
COMMAND EXAMPLE#
!microsoft-teams-chat-list filter="topic eq 'testing'"
HUMAN READABLE OUTPUT#
CHATS LIST:#
Chat IdChat nameCreated Date TimeLast Updated Date TimeChat TypewebUrlTenant
IdLast Message Read Date
Time19:561082c0f3f847a58069deb8eb300807@thread.v2testing2023-01-08T14:15:45.412Z2023-01-08T14:15:45.412ZgroupwebUrltenantId2023-01-08T14:16:48.662Z19:2da4c29f6d7041eca70b638b43d45437@thread.v2testing2022-12-29T11:10:49.173Z2022-12-29T11:10:49.173ZgroupwebUrltenantId2022-12-29T12:00:07.317Z
MICROSOFT-TEAMS-CHAT-MESSAGE-LIST#
--------------------------------------------------------------------------------
Retrieves a list of messages in a chat.
BASE COMMAND#
microsoft-teams-chat-message-list
REQUIRED PERMISSIONS#
Chat.ReadWrite - Delegated
INPUT#
Argument NameDescriptionRequiredchatThe chat ID / group chat name (topic) /
oneOnOne member (Display name/mail/UPN).RequiredlimitThe number of results to
retrieve. Default is 50.Optionalorder_byOrders results by lastModifiedDateTime
(default) or createdDateTime in descending order. Possible values are:
lastModifiedDateTime, createdDateTime. Default is
lastModifiedDateTime.Optionalnext_linkA link that specifies a starting point to
use for subsequent calls.Optionalpage_sizeNumber of results to return per page.
Default is 50.Optional
CONTEXT OUTPUT#
PathTypeDescriptionMicrosoftTeams.ChatList.chatIdStringThe chat's unique
identifier.MicrosoftTeams.ChatList.messages.idStringUnique ID of the
message.MicrosoftTeams.ChatList.messages.replyToIdStringID of the parent chat
message or root chat message of the
thread.MicrosoftTeams.ChatList.messages.etagStringVersion number of the chat
message.MicrosoftTeams.ChatList.messages.messageTypeStringThe type of chat
message.MicrosoftTeams.ChatList.messages.createdDateTimeStringTimestamp of when
the chat message was
created.MicrosoftTeams.ChatList.messages.lastModifiedDateTimeStringTimestamp
when the chat message is created (initial setting) or modified, including when a
reaction is added or
removed.MicrosoftTeams.ChatList.messages.lastEditedDateTimeStringTimestamp when
edits to the chat message were made. Triggers an "Edited" flag in the Teams UI.
If no edits are made the value is
null.MicrosoftTeams.ChatList.messages.deletedDateTimeStringTimestamp at which
the chat message was deleted, or null if not
deleted.MicrosoftTeams.ChatList.messages.subjectStringThe subject of the chat
message, in plaintext.MicrosoftTeams.ChatList.messages.summaryStringSummary text
of the chat message that could be used for push notifications and summary views
or fall back views.MicrosoftTeams.ChatList.messages.chatIdStringIf the message
was sent in a chat, represents the identity of the
chat.MicrosoftTeams.ChatList.messages.importanceStringThe importance of the chat
message.MicrosoftTeams.ChatList.messages.localeStringLocale of the chat message
set by the client.MicrosoftTeams.ChatList.messages.webUrlStringLink to the
message in Microsoft
Teams.MicrosoftTeams.ChatList.messages.channelIdentityStringIf the message was
sent in a channel, represents identity of the
channel.MicrosoftTeams.ChatList.messages.policyViolationStringDefines the
properties of a policy violation set by a data loss prevention (DLP)
application.MicrosoftTeams.ChatList.messages.eventDetailStringIf present,
represents details of an event that happened in a chat, a channel, or a team,
for example, adding new
members.MicrosoftTeams.ChatList.messages.fromStringDetails of the sender of the
chat message.MicrosoftTeams.ChatList.messages.bodyStringPlaintext/HTML
representation of the content of the chat message. Representation is specified
by the contentType inside the
body.MicrosoftTeams.ChatList.messages.attachmentsStringReferences to attached
objects like files, tabs, meetings
etc.MicrosoftTeams.ChatList.messages.mentionsStringList of entities mentioned in
the chat message.MicrosoftTeams.ChatList.messages.reactionsStringReactions for
this chat message (for example,
Like).MicrosoftTeams.MessageListNextLinkStringUsed if an operation returns
partial results. If a response contains a NextLink element, its value specifies
a starting point to use for subsequent calls.
COMMAND EXAMPLE#
!!microsoft-teams-chat-message-list chat="example chat" order_by=createdDateTime
HUMAN READABLE OUTPUT#
MESSAGES LIST IN "EXAMPLE CHAT" CHAT:#
Chat IdCreated DateTimeEtagFrom userFrom user idFrom user
userIdentityTypeImportanceMessage ContentMessage TypeMessage contentTypeMessage
idlastModified
DateTime19:2da4c29f6d7041eca70b638b43d45437@thread.v22021-03-29T04:17:43.15Z1616991463150itayadmin8ea0e38b-efb3-4757-924a-5f94061cf8c2aadUsernormalHello
Worldmessagetext16169914631502021-03-29T04:17:43.15Z
MICROSOFT-TEAMS-CHAT-UPDATE#
--------------------------------------------------------------------------------
Updates the chat name. It can only be set for group chats.
BASE COMMAND#
microsoft-teams-chat-update
REQUIRED PERMISSIONS#
Chat.ReadWrite - Delegated
INPUT#
Argument NameDescriptionRequiredchatThe chat ID / group chat name
(topic).Requiredchat_nameThe new chat name. Maximum length is 250 characters.
Use of ':' is not allowed.Required
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-chat-update chat="example chat" chat_name="update chat_name"
HUMAN READABLE OUTPUT#
The name of chat 'example chat' has been successfully changed to 'update
chat_name'.
MICROSOFT-TEAMS-AUTH-TEST#
--------------------------------------------------------------------------------
Tests the connectivity to MicrosoftTeams.
BASE COMMAND#
microsoft-teams-auth-test
INPUT#
There are no input arguments for this command.
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-auth-test
HUMAN READABLE OUTPUT#
> ✅ Success!
MICROSOFT-TEAMS-GENERATE-LOGIN-URL#
--------------------------------------------------------------------------------
Generate the login url used for Authorization code flow.
BASE COMMAND#
microsoft-teams-generate-login-url
INPUT#
There are no input arguments for this command.
CONTEXT OUTPUT#
There is no context output for this command.
COMMAND EXAMPLE#
!microsoft-teams-generate-login-url
HUMAN READABLE OUTPUT#
> AUTHORIZATION INSTRUCTIONS#
>
> 1. Click on the login URL to sign in and grant Cortex XSOAR permissions for
> your Azure Service Management. You will be automatically redirected to a
> link with the following structure:
> REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
> 2. Copy the AUTH_CODE (without the code= prefix, and the session_state
> parameter) and paste it in your instance configuration under the
> Authorization code parameter.
>
>
> RUNNING COMMANDS FROM MICROSOFT TEAMS#
>
> You can run Cortex XSOAR commands, according to the user permissions, from
> Microsoft Teams in a mirrored investigation channel.
Note: Like every message in a mirrored channel, in order for it to be passed to
the bot, the bot must be mentioned.
In order to avoid mentioning the bot, if this was previously configured without
adding the Bot ID, repeat the authentication flow and pay particular attention
to the following steps:
* Step 14 in Using the App Studio.
* Step 5 in Using the Developer Portal.
For example, in order to check the reputation of the IP address 8.8.8.8, run the
following: @Demisto Bot !ip ip=8.8.8.8
DIRECT MESSAGES COMMANDS#
You can chat with the bot in direct messages in order to retrieve data (list
incidents and tasks) and run operations (create incident and mirror an
investigation) related to Cortex XSOAR.
You can send the message help in order to see the supported commands:
Note: To enrich an incident created via the Demisto BOT (new incident command)
with extra information received with the request, as in regular fetch-incidents
process users may create custom mappers and map the desired values.
TROUBLESHOOTING#
1. The integration works by spinning up a web server that listens to events and
data posted to it from Microsoft Teams.
If you see the error message Did not receive tenant ID from Microsoft Teams,
verify the messaging endpoint is configured correctly., then it means that
the tenant ID was never posted to the web server, which should happen for
the first time when the bot is added to the configured team.
This probably means that there is a connection issue, and the web server
does not intercept the HTTPS queries from Microsoft Teams.
In order to troubleshoot, first verify the Docker container is up and
running and publish the configured port to the outside world:
From the Cortex XSOAR / Cortex XSOAR engine machine run: docker ps | grep
teams
You should see the following, assuming port 7000 is used:
988fdf341127 demisto/teams:1.0.0.6483 "python /tmp/pyrunne…" 6 seconds ago
Up 4 seconds 0.0.0.0:7000->7000/tcp
demistoserver_pyexecLongRunning-b60c04f9-754e-4b68-87ed-8f8113419fdb-demistoteams1.0.0.6483--26
If the Docker container is up and running, try running cURL queries, to
verify the web server is up and running and listens on the configured URL:
* To the messaging endpoint from a separate box.
* From the Cortex XSOAR machine to localhost.
* Note: The web server supports only POST method queries.
If the cURL queries were sent successfully, you should see in Cortex XSOAR
logs the following line: Finished processing Microsoft Teams activity
successfully.
If you're working with secured communication (HTTPS), make sure that you
provided a valid certificate, run openssl s_client -connect <domain.com>:443
command, verify that the returned value of the Verify return code field is 0
(ok), otherwise, it's not a valid certificate.
Try inserting your configured message endpoint in a browser tap, click
Enter, if Method Not Allowed is returned, the endpoint is valid and ready to
communicate, otherwise, it needs to be handled according to the returned
error's message.
In some cases, a connection is not created between Teams and the messaging
endpoint, when adding a bot to the team. You can work around this problem by
adding any member to the team the bot was added to (the bot should be
already added to the team). This will trigger a connection and solve the
issue. You can then remove the member that was added.
2. If you see the following error message: Error in API call to Microsoft
Teams: [403] - UnknownError, then it means the AAD application has
insufficient permissions.
3. Since the integration works based on Docker port mapping, it can't function
if the Docker is set to run with the host networking (--network=host). For
more details, refer to the Docker documentation.
4. The integration stores in cache metadata about the teams, members and
channels. Starting from Cortex XSOAR version 6.1.0, you can clear the
integration cache in the integration instance config:
First, make sure to remove the bot from the team (only via the Teams app),
before clearing the integration cache, and add it back after done. If the
bot belongs to multiple teams, make sure to remove it from all the teams it
was added to, and then clear the cache.
5. If the previous step did not work, remove the bot from the team, go to the
Microsoft Teams admin center > Manage apps and hard refresh the page!(cmd+
shift + R), then add the bot to the team again.
DOWNLOAD DEMISTO BOT#
Demisto Bot zip
Edit this page
Report an Issue
Previous
« Microsoft Sentinel
Next
Microsoft Teams Management »
* Integration Architecture
* Protocol Diagram
* Important Information
* Setup Examples
* 1. Using Cortex XSOAR rerouting
* 2. Using NGINX as reverse proxy
* 3. Using Apache reverse proxy and Cortex XSOAR engine
* 4. Using Cloudflare
* Setup Video
* Old Setup Video (Use the above video)
* Prerequisites
* Create the Demisto Bot in Microsoft Teams
* In order to connect to the Azure Network Security Groups use one of the
following methods:
* Client Credentials Flow
* Authorization Code Flow
* Configure Microsoft Teams on Cortex XSOAR
* Add the Demisto Bot to a Team
* Known Limitations
* Commands
* send-notification
* mirror-investigation
* Delete a channel
* Get information on the integration status
* Microsoft API Health
* Ring a user's Team account
* Add a user to a channel
* Create a channel
* Create a meeting
* microsoft-teams-user-remove-from-channel
* microsoft-teams-channel-user-list
* microsoft-teams-chat-create
* microsoft-teams-message-send-to-chat
* Message was sent successfully in the 'example chat' chat.
* microsoft-teams-chat-add-user
* microsoft-teams-chat-member-list
* Chat "example chat" Members List:
* microsoft-teams-chat-list
* Chats List:
* microsoft-teams-chat-message-list
* Messages list in "example chat" chat:
* microsoft-teams-chat-update
* microsoft-teams-auth-test
* microsoft-teams-generate-login-url
* Direct messages commands
* Troubleshooting
* Download Demisto Bot
DOCS
* Developer Docs
* Become a Technology Partner
SOCIAL
* Blog
Copyright © 2023 Palo Alto Networks, Inc.
Feedback