Supported Playbooks🔗
Note
The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a case template or configured case in XDR to open this in a new tab and follow the guidance there.
XDR supports numerous integrations, including but not limited to the following.
Tip
Find a changelog of the most recently published playbook templates, actions, and connectors, as well as updates to existing templates and connectors on Automations Overview.
| Playbook Title | Description |
|---|---|
| 4me ITSM Alert | Create a 4me Problem or Request based on a XDR Alert |
| 4me ITSM Investigation | Create a 4me Problem or Request based on a XDR Investigation |
| 4me ITSM Investigation Sync | Sync 4me Problem or Request with Security Response Investigations |
| AD Change Password At Log On | Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Deactivate Change Password At Log On | Deactivate Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Disable User | Disable User account for an AD using the LDAP(S) Protocol |
| AD Enable User | Enable User account for an AD using the LDAP(S) Protocol |
| AD/LDAP Change Password | Change Password for an AD/LDAP user using the LDAP(S) Protocol |
| AD/LDAP Look Up User | Look up an AD/LDAP user using the LDAP(S) Protocol |
| Alert Email Notification | Send email notifications for alerts |
| Alert Email Notification with Google Gmail | Send email notifications for alerts with Google Gmail API |
| Alert ITSM Sync | ServiceNow Alert to ITSM Incident Sync |
| Alert SIR Sync | ServiceNow Alert to Security Incident Sync |
| Amazon Web Services Disable User Access Keys | Amazon Web Services Disable User Access Keys |
| Amazon Web Services Disable User Login | Disable AWS Console login for a specific user |
| Amazon Web Services Disable User MFA Devices | Remove MFA Device for a specific AWS user |
| Amazon Web Services Enable User Access Keys | Amazon Web Services Enable User Access Keys |
| Amazon Web Services Enable User Login | AWS Console create a new login profile with a predefined password for a specific user |
| Amazon Web Services Look Up User | Look up an Amazon Web Services User |
| Amazon Web Services Update IP Set | Block/unblock an IP address in AWS WAF |
| Analyze Email | Enables the enrichment of Email entities |
| Automated Action AD Change Password At Log On | Automatically change password at log on for all users related to an alert using using the LDAP(S) Protocol |
| Automated Action AD Disable User | Automatically disable all users in an alert using using the LDAP(S) Protocol |
| Automated Action Isolate Host Red Cloak Endpoint Agent | Automated Action Isolate Host Red Cloak Endpoint Agent |
| Automated Action Isolate Host Taegis Agent | Automated Action Isolate Host Taegis Agent |
| Automated Action Microsoft Entra ID Disable User | Automatically disable all users in an alert using the Microsoft Graph API |
| Automated Action Microsoft Entra ID Force Password Reset | Automatically force a password reset on all users in an alert using the Microsoft Graph API |
| Azure OpenAI Enrich Investigation | Enrich the key findings of an investigation via Azure OpenAI |
| Block Domain | Enables the Block Domain response action |
| Block Email Address | Enables the Block Email Address response action |
| Block File Hash | Enables the Block File Hash response action on file hashes |
| Block IP | Enables the Block IP response action on IP addresses |
| Block URL | Enables the Block URL response action |
| Carbon Black EDR - Block Filehash | Carbon Black EDR (Endpoint Detection and Response) Block Filehash |
| Carbon Black EDR - Unblock Filehash | Carbon Black EDR (Endpoint Detection and Response) Unblock Filehash |
| CB Cloud - Isolate | VMWare Carbon Black Cloud Isolate |
| CB Cloud - Undo Isolate Host | VMWare Carbon Black Cloud Undo Isolate Host |
| Change Password | Enables the Change Password response action |
| Change Password At Next Login | Enables the Change Password At Next Login response action |
| Change Password At Next Login Google Workspace Admin SDK API | Enable Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Change Password Google Workspace Admin SDK API | Change Password of a user using Google Workspace Admin SDK API |
| Cisco Meraki Activities | Block and unblock resources in Cisco Meraki |
| Comments To Email Notification | Send Taegis Investigation Comments via an Email |
| Comments To Mattermost Notification | Send Taegis Investigation Comments To Mattermost |
| Comments To Microsoft Teams Notification | Send Taegis Investigation Comments To Microsoft Teams |
| Comments To Salesforce Slack Notification | Send Taegis Investigation Comments To Salesforce Slack |
| Comments To ServiceNow WorkNote | Send Taegis Investigation Comments To ServiceNow WorkNote |
| Confirm User As Compromised | Confirm User As Compromised |
| Cortex XSOAR Investigation Sync | Sync XDR investigations to Cortex XSOAR incidents |
| Create Investigations from Alerts | Create XDR Investigations from Alerts |
| Create ServiceNow User | Create ServiceNow User |
| CrowdStrike Falcon Endpoint - Isolate | CrowdStrike Falcon Endpoint Protection Isolate |
| CrowdStrike Falcon Endpoint - Undo Isolate | CrowdStrike Falcon Endpoint Protection Undo Isolate Host |
| Deactivate Change Password At Next Login Google Workspace Admin SDK API | Deactivate Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Deactivate ServiceNow User | Deactivate ServiceNow User |
| Detonate URL | Detonates an URL and provides the results as enrichment |
| Disable User | Enables the Disable User response action on users |
| Dismiss User As Compromised | Dismiss User As Compromised |
| Enable User | Enables the Enable User response action on users |
| Endpoint Tagging | This playbook can be used to add/remove tags to any number of endpoints. |
| Endpoint Tagging - Multi | Allow running Endpoint Tagging playbooks multiple times for different criteria |
| Enrich Investigation | Enables the enrichment of an investigation |
| Entity Enrichment Look Up Asset | Enables the enrichment of asset entities |
| EverBridge Alert Incident | Create an EverBridge Incident based on a XDR Alert |
| EverBridge Investigation Incident | Create an EverBridge Incident based on a XDR Investigation |
| Freshdesk Investigation Sync | Sync Taegis investigations with Freshdesk incidents |
| Freshservice Alert Ticket | Create a Freshservice Ticket based on a Taegis Alert |
| Freshservice Investigation Sync | Sync Taegis investigations with Freshservice tickets |
| Freshservice Investigation Ticket | Create a Freshservice Ticket based on a Taegis Investigation |
| Generic Webhook | Post all inputs to a webhook URL |
| Halo ITSM Investigation Synch | Synch XDR Investigations with Halo ITSM incidents |
| Health Event Investigation | Create Taegis Investigations from Health Events |
| Initiate Antivirus Scan on Host | Enables an Initiate Antivirus Scan on hosts |
| Investigation CrowdStrikeFalcon Incident Sync | Sync Investigations to CrowdStrikeFalcon Incidents |
| Investigation Email Notification | Send email notifications for investigations |
| Investigation Email Notification with Google Gmail | Send email notifications for Investigation with Google Gmail API |
| Investigation ITSM Sync | ServiceNow Investigation 1-way Sync to ITSM Incidents |
| Investigation Service Now MultiTeam Sync | Investigation ServiceNow MultiTeam Sync |
| Investigation SIR Sync | ServiceNow Investigation Sync to Security Incident Response |
| Investigation SMAX Sync | Taegis Investigation sync to Microfocus SMAX ticket |
| Investigation Translate Comments | Translate the Comments of an Investigation into another language |
| Investigation Translate Key Findings | Translate the Key Findings of an Investigation into another language |
| Investigations Email Report | Email report about Taegis Investigations |
| Isolate Host | Enables the Isolate Host response action on hosts |
| Isolate Host Automated Action | Isolate Host Automated Response Action |
| ITSM Incident Vulnerability | Create a ServiceNow Incident based on a XDR Vulnerability |
| Jira Alert Issue | Create an Atlassian Jira Issue based on a XDR Alert |
| Jira Investigation Issue | Create an Atlassian Jira Issue based on a XDR Investigation |
| Jira Investigation Sync | Sync Jira issue with Security Response Investigations |
| Jira Vulnerability Issue | Create an Atlassian Jira Issue based on a XDR Vulnerability |
| JupiterOne Investigation AWS Instance Enrichment | Enrich an investigation with AWS instance context from JupiterOne |
| Look Up Asset Vulnerabilities | Enables the enrichment of asset vulnerabilities |
| Look Up File Hash | Look Up File Hash and provides the results as enrichment |
| Look Up User | Enables the enrichment of user entities |
| Look Up User Google Workspace Admin SDK API | Look up a user using Google Workspace Admin SDK API |
| ManageEngine ServiceDesk Plus Alert | Playbook used to create Requests with ManageEngine Service Desk Plus from XDR Alerts |
| ManageEngine ServiceDesk Plus Investigation Sync | Playbook used to sync Investigations with ManageEngine Service Desk Plus Requests |
| MD ATP - Block Filehash Globally | Microsoft Defender ATP Block Filehash Globally |
| MD ATP - Host Response Action | Perform various response actions against a Microsoft Defender host |
| MD ATP - Isolate Host | Microsoft Defender ATP Isolate Host |
| MD ATP - Single Endpoint Filehash Block | Microsoft Defender ATP Block Filehash on a Single Endpoint |
| MD ATP - Undo Isolate Host | Microsoft Defender ATP Undo Isolate Host |
| Microsoft Entra ID Disable User | Disable Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Enable User | Enable Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Force Password Reset | Force a password reset on an Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Look Up User | Look up an Microsoft Entra ID user using the Microsoft Graph API |
| Microsoft Teams Notification | Send a Microsoft Teams notification via webhook |
| Notifications via Google Workspace Chat | Send Taegis notifications to Google Workspace Chat webhook |
| Okta Look Up User | Look up an Okta user |
| OpenAI Enrich Investigation | Enrich the key findings of an investigation via OpenAI |
| Opsgenie XDR Alert | Create an Atlassian Opsgenie Alert or Incident based on a XDR Alert |
| Opsgenie XDR Investigation | Create an Atlassian Opsgenie Alert or Incident based on a XDR Investigation |
| PagerDuty Alert Event | Send a PagerDuty Event based on a XDR Alert |
| PagerDuty Investigation Event | Send a PagerDuty Event based on a XDR Investigation |
| PagerDuty Investigation Sync | Sync PagerDuty incidents with Security Response Investigations |
| Palo Alto Networks PAN-OS Block/Unblock | Block and unblock IP/CIDR or Domain in Palo Alto Networks PAN-OS |
| RC - Isolate | Red Cloak Endpoint Agent Isolate |
| RC - Undo Isolate Host | Red Cloak Endpoint Agent Undo Isolate Host |
| RC Disable Process Disruption | Disable a disrupt process (block filehash) rule in Red Cloak Endpoint Agent |
| RC Process Disruption | Disrupt process (block filehash) in Red Cloak Endpoint Agent |
| Reactivate User Google Workspace Admin SDK API | Reactivate a user using Google Workspace Admin SDK API |
| Reset MFA Factors | Enables the Reset MFA Factors response action on users |
| Revoke User Sign-In Sessions | Enables the Revoke User Sign-In Sessions response action on users |
| Salesforce Slack Notification | Send a Salesforce Slack Notification via Webhook |
| SCADAfence Platform Investigation Enrichment | Enrich a Taegis Investigation with SCADAfence alert/asset details |
| Send Notification Message | Send a notification message to a supported messaging platform |
| SentinelOne - Host Response Actions | Perform various response actions against a SentinelOne agent |
| SentinelOne - Isolate | SentinelOne Isolate |
| SentinelOne - Undo Isolate Host | SentinelOne Undo Isolate Host |
| SentinelOne Threat Mitigation Response Actions | Perform Threat Mitigation response actions against Taegis Alerts |
| ServiceNow Bidirectional Investigation Sync (Inbound) | Update a Taegis Investigation based on data provided by Servicenow |
| ServiceNow Bidirectional Investigation Sync (Outbound) | Sync an investigation with Servicenow utilizing Import Sets |
| Suspend User Google Workspace Admin SDK API | Suspend a user using Google Workspace Admin SDK API |
| Sync Alert | Sync third party alert with XDR |
| Taegis Agent - Isolate | Taegis Agent Isolate |
| Taegis Agent - Restore | Taegis Agent Restore from isolation |
| Taegis NDR Block | Block (shun) a specific IP address on a Taegis NDR device |
| Taegis NDR Firewall Modification | Perform various Taegis NDR firewall related actions |
| Taegis NDR Unblock | Unblock (unshun) a specific IP address on a Taegis NDR device |
| UnBlock Domain | Enables the UnBlock Domain response action |
| UnBlock Email Address | Enables the UnBlock Email Address response action |
| UnBlock File Hash | Enables the UnBlock File Hash response action on file hashes |
| UnBlock IP | Enables the UnBlock IP response action on IP addresses |
| UnBlock URL | Enables the UnBlock URL response action |
| UnIsolate Host | Enables the UnIsolate Host response action on hosts |
| Update Investigation with Network Flow Summary | Update Investigation with Network Flow Summary |
| Update ServiceNow User | Generic ServiceNow user update |
| Update Taegis Investigation | Allow for updating an existing Taegis investigation |
| xMatters Webhook Alert | Trigger an xMatters event from an Alert via Webhook |
| xMatters Webhook Investigation | Trigger an xMatters event from an Investigation via Webhook |
| Zendesk Investigation Sync | Sync XDR Investigations with Zendesk incidents |