Supported Playbooks🔗
Note
Each playbook has built-in documentation that walks through the steps to create a new playbook. Select Documentation from a playbook template or configured playbook in XDR to open this in a new tab and follow the guidance there.
XDR supports numerous integrations, including but not limited to the following.
Tip
Find a changelog of the most recently published playbook templates, actions, and connectors, as well as updates to existing templates and connectors on Automations Overview.
| Playbook Title | Description |
|---|---|
| 4me ITSM Alert | Create a 4me Problem or Request based on a XDR Alert |
| 4me ITSM Investigation | Create a 4me Problem or Request based on a XDR Investigation |
| 4me ITSM Investigation Sync | Sync 4me Problem or Request with Security Response Investigations |
| AD Change Password At Log On | Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Deactivate Change Password At Log On | Deactivate Change Password At Log On for an AD user using the LDAP(S) Protocol |
| AD Disable User | Disable User account for an AD using the LDAP(S) Protocol |
| AD Enable User | Enable User account for an AD using the LDAP(S) Protocol |
| AD/LDAP Change Password | Change Password for an AD/LDAP user using the LDAP(S) Protocol |
| AD/LDAP Look Up User | Look up an AD/LDAP user using the LDAP(S) Protocol |
| Alert Email Notification | Send email notifications for alerts |
| Alert Email Notification with Google Gmail | Send email notifications for alerts with Google Gmail API |
| Alert ITSM Sync | ServiceNow Alert to ITSM Incident Sync |
| Alert SIR Sync | ServiceNow Alert to Security Incident Sync |
| Amazon Web Services Disable User Access Keys | Amazon Web Services Disable User Access Keys |
| Amazon Web Services Disable User Login | Disable AWS Console login for a specific user |
| Amazon Web Services Disable User MFA Devices | Remove MFA Device for a specific AWS user |
| Amazon Web Services Enable User Access Keys | Amazon Web Services Enable User Access Keys |
| Amazon Web Services Enable User Login | AWS Console create a new login profile with a predefined password for a specific user |
| Amazon Web Services Look Up User | Look up an Amazon Web Services User |
| Amazon Web Services Update IP Set | Block/unblock an IP address in AWS WAF |
| Analyze Email | Enables the enrichment of Email entities |
| Automated Action AD Change Password At Log On | Automatically change password at log on for all users related to an alert using using the LDAP(S) Protocol |
| Automated Action AD Disable User | Automatically disable all users in an alert using using the LDAP(S) Protocol |
| Automated Action Isolate Host Red Cloak Endpoint Agent | Automated Action Isolate Host Red Cloak Endpoint Agent |
| Automated Action Isolate Host Taegis Agent | Automated Action Isolate Host Taegis Agent |
| Automated Action Microsoft Entra ID Disable User | Automatically disable all users in an alert using the Microsoft Graph API |
| Automated Action Microsoft Entra ID Force Password Reset | Automatically force a password reset on all users in an alert using the Microsoft Graph API |
| Azure OpenAI Enrich Investigation | Enrich the key findings of an investigation via Azure OpenAI |
| Block Domain | Enables the Block Domain response action |
| Block Email Address | Enables the Block Email Address response action |
| Block File Hash | Enables the Block File Hash response action on file hashes |
| Block IP | Enables the Block IP response action on IP addresses |
| Block URL | Enables the Block URL response action |
| Carbon Black EDR - Block Filehash | Carbon Black EDR (Endpoint Detection and Response) Block Filehash |
| Carbon Black EDR - Unblock Filehash | Carbon Black EDR (Endpoint Detection and Response) Unblock Filehash |
| CB Cloud - Isolate | VMWare Carbon Black Cloud Isolate |
| CB Cloud - Undo Isolate Host | VMWare Carbon Black Cloud Undo Isolate Host |
| Change Password | Enables the Change Password response action |
| Change Password At Next Login | Enables the Change Password At Next Login response action |
| Change Password At Next Login Google Workspace Admin SDK API | Enable Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Change Password Google Workspace Admin SDK API | Change Password of a user using Google Workspace Admin SDK API |
| Cisco Meraki Activities | Block and unblock resources in Cisco Meraki |
| Comments To Email Notification | Send Taegis Investigation Comments via an Email |
| Comments To Mattermost Notification | Send Taegis Investigation Comments To Mattermost |
| Comments To Microsoft Teams Notification | Send Taegis Investigation Comments To Microsoft Teams |
| Comments To Salesforce Slack Notification | Send Taegis Investigation Comments To Salesforce Slack |
| Comments To ServiceNow WorkNote | Send Taegis Investigation Comments To ServiceNow WorkNote |
| Confirm User As Compromised | Confirm User As Compromised |
| Cortex XSOAR Investigation Sync | Sync XDR investigations to Cortex XSOAR incidents |
| Create Investigations from Alerts | Create XDR Investigations from Alerts |
| Create ServiceNow User | Create ServiceNow User |
| CrowdStrike Falcon Endpoint - Isolate | CrowdStrike Falcon Endpoint Protection Isolate |
| CrowdStrike Falcon Endpoint - Undo Isolate | CrowdStrike Falcon Endpoint Protection Undo Isolate Host |
| Deactivate Change Password At Next Login Google Workspace Admin SDK API | Deactivate Change Password At Next Login for a user using Google Workspace Admin SDK API |
| Deactivate ServiceNow User | Deactivate ServiceNow User |
| Detonate URL | Detonates an URL and provides the results as enrichment |
| Disable User | Enables the Disable User response action on users |
| Dismiss User As Compromised | Dismiss User As Compromised |
| Enable User | Enables the Enable User response action on users |
| Endpoint Tagging | This playbook can be used to add/remove tags to any number of endpoints. |
| Endpoint Tagging - Multi | Allow running Endpoint Tagging playbooks multiple times for different criteria |
| Enrich Investigation | Enables the enrichment of an investigation |
| Entity Enrichment Look Up Asset | Enables the enrichment of asset entities |
| EverBridge Alert Incident | Create an EverBridge Incident based on a XDR Alert |
| EverBridge Investigation Incident | Create an EverBridge Incident based on a XDR Investigation |
| Freshdesk Investigation Sync | Sync Taegis investigations with Freshdesk incidents |
| Freshservice Alert Ticket | Create a Freshservice Ticket based on a Taegis Alert |
| Freshservice Investigation Sync | Sync Taegis investigations with Freshservice tickets |
| Freshservice Investigation Ticket | Create a Freshservice Ticket based on a Taegis Investigation |
| Generic Webhook | Post all inputs to a webhook URL |
| Halo ITSM Investigation Synch | Synch XDR Investigations with Halo ITSM incidents |
| Health Event Investigation | Create Taegis Investigations from Health Events |
| Initiate Antivirus Scan on Host | Enables an Initiate Antivirus Scan on hosts |
| Investigation CrowdStrikeFalcon Incident Sync | Sync Investigations to CrowdStrikeFalcon Incidents |
| Investigation Email Notification | Send email notifications for investigations |
| Investigation Email Notification with Google Gmail | Send email notifications for Investigation with Google Gmail API |
| Investigation ITSM Sync | ServiceNow Investigation 1-way Sync to ITSM Incidents |
| Investigation Service Now MultiTeam Sync | Investigation ServiceNow MultiTeam Sync |
| Investigation SIR Sync | ServiceNow Investigation Sync to Security Incident Response |
| Investigation SMAX Sync | Taegis Investigation sync to Microfocus SMAX ticket |
| Investigation Translate Comments | Translate the Comments of an Investigation into another language |
| Investigation Translate Key Findings | Translate the Key Findings of an Investigation into another language |
| Investigations Email Report | Email report about Taegis Investigations |
| Isolate Host | Enables the Isolate Host response action on hosts |
| Isolate Host Automated Action | Isolate Host Automated Response Action |
| ITSM Incident Vulnerability | Create a ServiceNow Incident based on a XDR Vulnerability |
| Jira Alert Issue | Create an Atlassian Jira Issue based on a XDR Alert |
| Jira Investigation Issue | Create an Atlassian Jira Issue based on a XDR Investigation |
| Jira Investigation Sync | Sync Jira issue with Security Response Investigations |
| Jira Vulnerability Issue | Create an Atlassian Jira Issue based on a XDR Vulnerability |
| JupiterOne Investigation AWS Instance Enrichment | Enrich an investigation with AWS instance context from JupiterOne |
| Look Up Asset Vulnerabilities | Enables the enrichment of asset vulnerabilities |
| Look Up File Hash | Look Up File Hash and provides the results as enrichment |
| Look Up User | Enables the enrichment of user entities |
| Look Up User Google Workspace Admin SDK API | Look up a user using Google Workspace Admin SDK API |
| ManageEngine ServiceDesk Plus Alert | Playbook used to create Requests with ManageEngine Service Desk Plus from XDR Alerts |
| ManageEngine ServiceDesk Plus Investigation Sync | Playbook used to sync Investigations with ManageEngine Service Desk Plus Requests |
| MD ATP - Block Filehash Globally | Microsoft Defender ATP Block Filehash Globally |
| MD ATP - Host Response Action | Perform various response actions against a Microsoft Defender host |
| MD ATP - Isolate Host | Microsoft Defender ATP Isolate Host |
| MD ATP - Single Endpoint Filehash Block | Microsoft Defender ATP Block Filehash on a Single Endpoint |
| MD ATP - Undo Isolate Host | Microsoft Defender ATP Undo Isolate Host |
| Microsoft Entra ID Disable User | Disable Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Enable User | Enable Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Force Password Reset | Force a password reset on an Microsoft Entra ID user account using the Microsoft Graph API |
| Microsoft Entra ID Look Up User | Look up an Microsoft Entra ID user using the Microsoft Graph API |
| Microsoft Teams Notification | Send a Microsoft Teams notification via webhook |
| Notifications via Google Workspace Chat | Send Taegis notifications to Google Workspace Chat webhook |
| Okta Look Up User | Look up an Okta user |
| OpenAI Enrich Investigation | Enrich the key findings of an investigation via OpenAI |
| Opsgenie XDR Alert | Create an Atlassian Opsgenie Alert or Incident based on a XDR Alert |
| Opsgenie XDR Investigation | Create an Atlassian Opsgenie Alert or Incident based on a XDR Investigation |
| PagerDuty Alert Event | Send a PagerDuty Event based on a XDR Alert |
| PagerDuty Investigation Event | Send a PagerDuty Event based on a XDR Investigation |
| PagerDuty Investigation Sync | Sync PagerDuty incidents with Security Response Investigations |
| Palo Alto Networks PAN-OS Block/Unblock | Block and unblock IP/CIDR or Domain in Palo Alto Networks PAN-OS |
| RC - Isolate | Red Cloak Endpoint Agent Isolate |
| RC - Undo Isolate Host | Red Cloak Endpoint Agent Undo Isolate Host |
| RC Disable Process Disruption | Disable a disrupt process (block filehash) rule in Red Cloak Endpoint Agent |
| RC Process Disruption | Disrupt process (block filehash) in Red Cloak Endpoint Agent |
| Reactivate User Google Workspace Admin SDK API | Reactivate a user using Google Workspace Admin SDK API |
| Reset MFA Factors | Enables the Reset MFA Factors response action on users |
| Revoke User Sign-In Sessions | Enables the Revoke User Sign-In Sessions response action on users |
| Salesforce Slack Notification | Send a Salesforce Slack Notification via Webhook |
| SCADAfence Platform Investigation Enrichment | Enrich a Taegis Investigation with SCADAfence alert/asset details |
| Send Notification Message | Send a notification message to a supported messaging platform |
| SentinelOne - Host Response Actions | Perform various response actions against a SentinelOne agent |
| SentinelOne - Isolate | SentinelOne Isolate |
| SentinelOne - Undo Isolate Host | SentinelOne Undo Isolate Host |
| SentinelOne Threat Mitigation Response Actions | Perform Threat Mitigation response actions against Taegis Alerts |
| ServiceNow Bidirectional Investigation Sync (Inbound) | Update a Taegis Investigation based on data provided by Servicenow |
| ServiceNow Bidirectional Investigation Sync (Outbound) | Sync an investigation with Servicenow utilizing Import Sets |
| Suspend User Google Workspace Admin SDK API | Suspend a user using Google Workspace Admin SDK API |
| Sync Alert | Sync third party alert with XDR |
| Taegis Agent - Isolate | Taegis Agent Isolate |
| Taegis Agent - Restore | Taegis Agent Restore from isolation |
| Taegis NDR Block | Block (shun) a specific IP address on a Taegis NDR device |
| Taegis NDR Firewall Modification | Perform various Taegis NDR firewall related actions |
| Taegis NDR Unblock | Unblock (unshun) a specific IP address on a Taegis NDR device |
| UnBlock Domain | Enables the UnBlock Domain response action |
| UnBlock Email Address | Enables the UnBlock Email Address response action |
| UnBlock File Hash | Enables the UnBlock File Hash response action on file hashes |
| UnBlock IP | Enables the UnBlock IP response action on IP addresses |
| UnBlock URL | Enables the UnBlock URL response action |
| UnIsolate Host | Enables the UnIsolate Host response action on hosts |
| Update Investigation with Network Flow Summary | Update Investigation with Network Flow Summary |
| Update ServiceNow User | Generic ServiceNow user update |
| Update Taegis Investigation | Allow for updating an existing Taegis investigation |
| xMatters Webhook Alert | Trigger an xMatters event from an Alert via Webhook |
| xMatters Webhook Investigation | Trigger an xMatters event from an Investigation via Webhook |
| Zendesk Investigation Sync | Sync XDR Investigations with Zendesk incidents |