{ "description": "Generated machine readable doc of deprecated content items", "integrations": [ { "id": "Symantec Deepsight Intelligence", "name": "Accenture Deepsight Intelligence", "description": "Deprecated. Use ACTI Vulnerability Query instead.", "note": "Use ACTI Vulnerability Query instead.", "maintenance_start": "Apr 01, 2022", "eol_start": "Oct 01, 2022" }, { "id": "activedir", "name": "Active Directory Query", "description": "Query LDAP directory servers", "maintenance_start": "Apr 01, 2019", "eol_start": "Apr 01, 2020", "note": "Use the Active Directory Query v2 integration instead." }, { "id": "Alexa Rank Indicator", "name": "Alexa Rank Indicator", "description": "Deprecated. Vendor has declared end of life for this product. No available replacement.", "note": "Vendor has declared end of life for this product. No available replacement.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "Alexa Rank Indicator v2", "name": "Alexa Rank Indicator v2", "description": "Deprecated. Vendor has declared end of life for this product. No available replacement.", "note": "Vendor has declared end of life for this product. No available replacement.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "AlienVault OTX", "name": "AlienVault OTX", "description": "Deprecated. We recommend using AlienVault OTX v2 instead. Query IOCs in AlienVault", "note": "We recommend using AlienVault OTX v2 instead.", "maintenance_start": "Dec 01, 2019", "eol_start": "Jun 01, 2020" }, { "id": "Amazon Web Services", "name": "Amazon Web Services", "description": "Deprecated. AWS - amazon public cloud , EC2 service", "note": "Use the AWS - EC2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Anomali ThreatStream", "name": "Anomali ThreatStream", "description": "Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats", "note": "Use Anomali ThreatStream v3 instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Anomali ThreatStream v2", "name": "Anomali ThreatStream v2", "description": "Deprecated. Use Anomali ThreatStream v3 integration instead.", "note": "Use Anomali ThreatStream v3 integration instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "ArcSight ESM", "name": "ArcSight ESM", "description": "Deprecated. ArcSight ESM SIEM by Micro Focus (Formerly HPE Software).", "note": "Use the ArcSight ESM v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "ArcSight XML", "name": "ArcSight XML", "description": "Deprecated. Use the ArcSight ESM v2 integration instead.", "note": "Use the ArcSight ESM v2 integration instead.", "maintenance_start": "Jul 01, 2024", "eol_start": "Jan 01, 2025" }, { "id": "jira", "name": "Atlassian Jira", "description": "Deprecated. Issue tracking product, developed by Atlassian", "note": "Use the Atlassian Jira v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "jira-v2", "name": "Atlassian Jira v2", "description": "Deprecated. Use the Atlassian Jira v3 integration instead", "note": "", "maintenance_start": "Oct 01, 2023", "eol_start": "Apr 01, 2024" }, { "id": "AutoFocus Daily Feed", "name": "AutoFocus Daily Feed", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Apr 01, 2022", "eol_start": "Oct 01, 2022" }, { "id": "AutoFocus Feed", "name": "AutoFocus Feed", "description": "Deprecated. Use the Unit 42 Feed integration instead.", "note": "Use the Unit 42 Feed integration instead.", "maintenance_start": "Nov 01, 2025", "eol_start": "Dec 01, 2025" }, { "id": "AutoFocusTagsFeed", "name": "AutoFocus Tags Feed", "description": "Deprecated. Use Unit 42 Intel Objects Feed instead. Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags.", "note": "Use Unit 42 Intel Objects Feed instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Azure Active Directory Identity Protection", "name": "Azure Active Directory Identity Protection", "description": "Deprecated. Use Microsoft Graph Identity and Access instead.", "note": "Use Microsoft Graph Identity and Access instead.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "Azure Compute", "name": "Azure Compute", "description": "Deprecated. Create and Manage Azure Virtual Machines", "note": "Use the Azure Compute v2 integration instead.", "maintenance_start": "Nov 01, 2019", "eol_start": "May 01, 2020" }, { "id": "Azure Security Center", "name": "Azure Security Center", "description": "Deprecated. Unified security management and advanced threat protection across hybrid cloud workloads.", "note": "Use the Azure Security Center v2 integration instead.", "maintenance_start": "Nov 01, 2019", "eol_start": "May 01, 2020" }, { "id": "BitcoinAbuse", "name": "BitcoinAbuse Feed", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Sep 01, 2023", "eol_start": "Mar 01, 2024" }, { "id": "Blockade.io", "name": "Blockade.io", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "Blueliv_Beta", "name": "Blueliv (Beta)", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2024", "eol_start": "Dec 01, 2024" }, { "id": "Box", "name": "Box", "description": "Deprecated. Use the Box v2 integration instead.", "note": "Use the Box v2 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "carbonblackprotection", "name": "Carbon Black Enterprise Protection", "description": "Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.", "maintenance_start": "May 01, 2019", "eol_start": "May 01, 2020", "note": "Use the VMware Carbon Black App Control v2 integration instead." }, { "id": "carbonblack", "name": "Carbon Black Enterprise Response", "description": "Query and response with Carbon black endpoint detection and response", "maintenance_start": "May 01, 2019", "eol_start": "May 01, 2020", "note": "Use the VMware Carbon Black EDR integration instead." }, { "id": "Check Point", "name": "Check Point Firewall", "description": "Deprecated. Use the Check Point Firewall v2 integration instead. Manage Check Point firewall via API", "note": "Use the Check Point Firewall v2 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Check Point Sandblast Appliance", "name": "Check Point Sandblast Appliance", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on local gateway.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "Check Point Sandblast", "name": "Check Point Sandblast Cloud Services", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CiscoAMP", "name": "Cisco AMP", "description": "Deprecated. Use Cisco AMP v2 instead.", "note": "Use Cisco AMP v2 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "Cisco Email Security Appliance (IronPort)", "name": "Cisco Email Security Appliance (IronPort)", "description": "Deprecated. Use Cisco Email Security Appliance (IronPort) V2 instead.", "note": "Use Cisco Email Security Appliance (IronPort) V2 instead.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Cisco Meraki", "name": "Cisco Meraki", "description": "Cloud controlled WiFi, routing, and security. Deprecated. Use CiscoMerakiv2 instead.", "note": "Use CiscoMerakiv2 instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Threat Grid", "name": "Cisco Threat Grid", "description": "Deprecated. Use Cisco Secure Malware Analytics (Threat Grid) v2 instead.", "note": "Use Cisco Secure Malware Analytics (Threat Grid) v2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Cisco Umbrella Cloud Security", "name": "Cisco Umbrella Cloud Security", "description": "Deprecated. Use Cisco Umbrella Cloud Security v2 instead.", "note": "Use Cisco Umbrella Cloud Security v2 instead.", "maintenance_start": "Sep 01, 2023", "eol_start": "Mar 01, 2024" }, { "id": "CiscoEmailSecurity", "name": "CiscoEmailSecurity (Beta)", "description": "Deprecated. Use Cisco Security Management Appliance instead.", "note": "Use Cisco Security Management Appliance instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "CiscoWSA", "name": "CiscoWSA", "description": "Deprecated. Use CiscoWSAV2 instead.", "note": "Use CiscoWSAV2 instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Cofense Intelligence", "name": "Cofense Intelligence", "description": "Deprecated. Use Cofense Intelligence v2 instead. Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses.", "note": "Use Cofense Intelligence v2 instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "ExpanseV2", "name": "Cortex Xpanse Legacy", "description": "Deprecated. Use Cortex Xpanse integration instead. > The Xpanse integration for Cortex XSOAR leverages the Expander API to create incidents from Cortex Xpanse issues. It also leverages Cortex Xpanse's unparalleled view of the Internet to enrich IPs, domains and certificates using information from assets discovered by Cortex Xpanse Expander and risky flows detected by Cortex Xpanse Behavior.", "note": "Use Cortex Xpanse integration instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "FalconIntel", "name": "CrowdStrike Falcon Intel", "description": "Deprecated. Use CrowdStrike Falcon Intel v2 integration instead.", "note": "Use the CrowdStrike Falcon Intel v2 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "VxStream", "name": "CrowdStrike Falcon Sandbox", "description": "Deprecated. Use CrowdStrike Falcon Sandbox V2 instead.", "note": "Use CrowdStrike Falcon Sandbox V2 instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "crowdstrike-streaming-api", "name": "CrowdStrike Falcon Streaming", "description": "Deprecated - We recommend using CrowdStrike Falcon Streaming v2 instead. The Falcon Streaming API (formerly known as the Falcon Firehose API)", "maintenance_start": "May 01, 2020", "eol_start": "May 01, 2021", "note": "Use the CrowdStrike Falcon Streaming v2 integration instead." }, { "id": "CVE Search", "name": "CVE Search", "description": "Deprecated. Search CVE Information - powered by circl.lu", "note": "Use the CVE Search v2 integration instead.", "maintenance_start": "Apr 01, 2020", "eol_start": "Oct 01, 2020" }, { "id": "CVE Search v2", "name": "CVE Search v2", "description": "Deprecated. Use CIRCL CVE Search instead.", "note": "Use CIRCL CVE Search instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "CyberArkAIM", "note": "Use the CyberArk AIM v2 integration instead." }, { "id": "Cylance Protect", "name": "Cylance Protect", "description": "Deprecated. Manage Endpoints using Cylance protect", "note": "Use the Cylance Protect v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "cylance", "name": "CylanceINFINITY", "description": "File threat intelligence", "maintenance_start": "Jun 01, 2019", "eol_start": "Aug 01, 2020", "note": "This service has been discontinued for external users by Cylance." }, { "id": "Cymon", "name": "Cymon", "description": "Deprecated. Analyzes suspicious domains and IP addresses", "note": "Service has been discontinued by the vendor.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Demisto REST API", "name": "Demisto REST API", "description": "Deprecated. Use Core REST API instead.", "note": "Use Core REST API instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "elasticsearch", "name": "Elasticsearch", "description": "Deprecated. Use the Elasticsearch v2 integration instead. Search & Analyze Data in Real Time", "maintenance_start": "Sep 01, 2019", "eol_start": "Sep 01, 2020", "note": "Use the Elasticsearch v2 integration instead." }, { "id": "EWS", "name": "EWS", "description": "Deprecated. Exchange Web Services and Office 365 (mail).", "note": "Use the EWS v2 or the EWS O365 integrations instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "EWS Extension Online Powershell v2", "name": "EWS Extension Online Powershell v2", "description": "Deprecated. Use ***EWS Extension Online Powershell v3*** instead.", "note": "Use ***EWS Extension Online Powershell v3*** instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "EWS Mail Sender", "name": "EWS Mail Sender", "description": "Exchange Web Services mail sender. Note: this integration supports Office 365 basic authentication only. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication (oauth2). Deprecated. Use EWS v2 instead", "note": "", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Exchange 2016 Compliance Search", "name": "Exchange 2016 Compliance Search", "description": "Deprecated. Use EWS V2 instead.", "note": "Use EWS V2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "FeedExpanse", "name": "Expanse Expander Feed", "description": "Deprecated. Use Xpanse Feed integration instead. > Use this feed to retrieve the discovered IPs/Domains/Certificates from Expanse Expander asset database.", "note": "Use Xpanse Feed integration instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExportIndicators", "name": "Export Indicators Service", "description": "Deprecated. Use the Generic Export Indicators Service integration instead. Use the Export Indicators Service integration to provide an endpoint with a list of indicators as a service for the system indicators.", "note": "Use the Generic Export Indicators Service integration instead.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "ExtraHop", "name": "ExtraHop", "description": "Deprecated. We recommend using ExtraHop Reveal(x) instead. ExtraHop performs real-time stream analysis of the packets that carry data across a network.", "note": "We recommend using ExtraHop Reveal(x) instead.", "maintenance_start": "Dec 01, 2019", "eol_start": "Jun 01, 2020" }, { "id": "FalconHost", "name": "FalconHost", "description": "Deprecated. Use the CrowdStrike Falcon integration instead.", "note": "Use the CrowdStrike Falcon integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Feodo Tracker Hashes Feed", "name": "Feodo Tracker Hashes Feed", "description": "Deprecated. Feodo Tracker no longer supports this feed. No available replacement.", "note": "EOL by vendor. Feodo Tracker no longer supports this feed.", "maintenance_start": "Nov 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "FireEye HX", "name": "FireEye HX", "description": "Deprecated. Use FireEyeHX v2 instead.", "note": "Use FireEyeHX v2 instead.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "FortiSandbox", "name": "FortiSandbox", "description": "FortiSandbox integration is used to submit files to FortiSandbox for malware analysis and retrieving the report of the analysis. It can also provide file rating based on hashes for already scanned files. Deprecated. Use FortiSandboxv2 instead.", "note": "Use FortiSandboxv2 instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "GCP Whitelist Feed", "name": "GCP Whitelist Feed", "description": "Deprecated. Use the Google IP Ranges Feed integration instead.", "note": "Use the Google IP Ranges Feed integration instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "GoogleSafeBrowsing", "name": "Google Safe Browsing", "description": "Deprecated. Use Google Safe Browsing v2 instead.", "note": "Use Google Safe Browsing v2 instead.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "GuardiCore", "name": "GuardiCore", "description": "Deprecated. Use GuardiCore v2 instead.", "note": "Use GuardiCore v2 instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Pwned", "name": "Have I Been Pwned?", "description": "Deprecated. Use the Have I Been Pwned? V2 integration instead. Checks whether emails or domains have been compromised in recent breaches, using the Have I Been Pwned? service.", "note": "Use the Have I Been Pwned? V2 integration instead.", "maintenance_start": "Sep 01, 2019", "eol_start": "Mar 01, 2020" }, { "id": "Hybrid Analysis", "name": "Hybrid Analysis", "description": "Deprecated. Use CrowdStrike Falcon Sandbox v2 instead.", "note": "Use CrowdStrike Falcon Sandbox v2 instead.", "maintenance_start": "Sep 01, 2022", "eol_start": "Mar 01, 2023" }, { "id": "QRadar", "name": "IBM QRadar", "description": "Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead.", "note": "Use IBM QRadar v2 or IBM QRadar v3 instead.", "maintenance_start": "Jul 01, 2021", "eol_start": "Jan 01, 2022" }, { "id": "QRadar_v2", "name": "IBM QRadar v2", "description": "Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSOAR. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields.", "note": "Use the IBM QRadar v3 integration instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "XFE", "name": "IBM X-Force Exchange", "description": "Deprecated. Use the IBM X-Force Exchange v2 integration instead.", "note": "Use the IBM X-Force Exchange v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "Intezer", "name": "Intezer", "description": "Deprecated. Malware detection and analysis based on code reuse.", "note": "Use the Intezer v2 integration instead.", "maintenance_start": "Jan 01, 2020", "eol_start": "Jul 01, 2020" }, { "id": "ipinfo", "name": "ipinfo", "description": "Deprecated. Use IPinfo v2 instead. Use the ipinfo.io API to get data about an IP address", "note": "Use IPinfo v2 instead.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "jamf", "name": "jamf", "description": "Deprecated. Use Jamf v2 instead. Jamf device management. Please note, this integration is currently only compatible with the Jamf V1 API.", "note": "Use Jamf v2 instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "Jask", "name": "Jask", "description": "Deprecated. Use Sumo Logic Cloud SIEM instead. Freeing the analyst with autonomous decisions.", "note": "Use Sumo Logic Cloud SIEM instead.", "maintenance_start": "Jul 01, 2021", "eol_start": "Jan 01, 2022" }, { "id": "Joe Security", "name": "Joe Security", "description": "Deprecated. Use Joe Security v2 instead.", "note": "Use Joe Security v2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "kafka", "name": "Kafka", "description": "The Open source distributed streaming platform", "maintenance_start": "Oct 01, 2019", "eol_start": "Oct 01, 2020", "note": "Use the Kafka v2 integration instead." }, { "id": "Kafka V2", "name": "Kafka v2", "description": "Deprecated. Use the Kafka v3 integration instead. The Open source distributed streaming platform.", "note": "Use the Kafka v3 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Kenna", "name": "Kenna", "description": "Deprecated. Use Kenna v2.", "note": "Use the Kenna v2 integration instead.", "maintenance_start": "Feb 01, 2020", "eol_start": "Aug 01, 2020" }, { "id": "Lastline", "name": "Lastline", "description": "Deprecated. Provides threat analysts and incident response teams with the advanced malware isolation and inspection environment, needed to safely execute advanced malware samples and understand their behavior.", "note": "Use the Lastline v2 integration instead.", "maintenance_start": "Mar 01, 2020", "eol_start": "Sep 01, 2020" }, { "id": "Lockpath KeyLight", "name": "Lockpath KeyLight", "description": "Deprecated. Use LockPath KeyLight v2.", "note": "Use the Lockpath KeyLight v2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "LogRhythm", "name": "LogRhythm", "description": "Deprecated. Use the LogRhythmRest v2 integration instead.", "note": "Use the LogRhythmRest v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "mail-sender", "name": "Mail Sender", "description": "Send e-mail notifications to users", "maintenance_start": "Jun 01, 2019", "eol_start": "Jun 01, 2020", "note": "Use the Mail Sender (New) integration instead." }, { "id": "Malware Domain List Active IPs Feed", "name": "Malware Domain List Active IPs Feed", "description": "Deprecated. This feed is no longer supported. No available replacement.", "note": "This feed is no longer supported. No available replacement.", "maintenance_start": "Sep 01, 2021", "eol_start": "Mar 01, 2022" }, { "id": "malwr", "name": "malwr", "description": "Deprecated. The site at malwr.com is no longer available. No available replacement.", "note": "The site at malwr.com is no longer available. No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "FeedMandiant", "name": "Mandiant Advantage Feed", "description": "Deprecated. Use Mandiant Advantage Threat Intelligence instead.", "note": "Use Mandiant Advantage Threat Intelligence instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "epo", "name": "McAfee ePO", "description": "Deprecated. Use McAfee ePO v2 instead.", "note": "Use McAfee ePO v2 instead.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "esm", "name": "McAfee ESM", "description": "Run queries and receive alarms from Intel Security ESM up to version 9.X. Does NOT support version 10 and above", "maintenance_start": "Sep 01, 2020", "eol_start": "Sep 01, 2021", "note": "Use the McAfee ESM v2 integration instead." }, { "id": "McAfee ESM-v10", "name": "McAfee ESM v10 and v11", "description": "Deprecated. Use the McAfee ESM v2 integration instead.", "note": "Use the McAfee ESM v2 integration instead.", "maintenance_start": "Sep 01, 2020", "eol_start": "Mar 01, 2021" }, { "id": "McAfee NSM", "name": "McAfee NSM", "description": "Deprecated. Use McAfee NSM v2 integration instead.", "note": "Use McAfee NSM v2 integration instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "McAfee Threat Intelligence Exchange", "name": "McAfee Threat Intelligence Exchange", "description": "Deprecated. Use McAfee Threat Intelligence Exchange V2 integration instead.", "note": "Use McAfee Threat Intelligence Exchange V2 integration instead.", "maintenance_start": "Jan 01, 2023", "eol_start": "Jul 01, 2023" }, { "id": "McAfee Web Gateway", "name": "McAfee Web Gateway", "description": "Deprecated. Use Skyhigh Secure Web Gateway (On Prem) instead.", "note": "Use Skyhigh Secure Web Gateway (On Prem) instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Microsoft Advanced Threat Analytics", "name": "Microsoft Advanced Threat Analytics", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Sep 01, 2024", "eol_start": "Mar 01, 2025" }, { "id": "Microsoft 365 Defender Event Collector", "name": "Microsoft Defender for Endpoint Alerts", "description": "Deprecated. Use 'Office 365' in the XSIAM Data Sources instead.", "note": "Use 'Office 365' in the XSIAM Data Sources instead.", "maintenance_start": "Jan 01, 2025", "eol_start": "Jul 01, 2025" }, { "id": "Mimecast", "name": "Mimecast", "description": "Deprecated. Mimecast unified email management offers cloud email services for email security, continuity and archiving emails", "note": "Use the Mimecast v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Mimecast Authentication", "name": "Mimecast Authentication", "description": "Deprecated. Creates Access Key and Secret Key for Mimecast API", "note": "Use the Mimecast v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Mimecast Event Collector", "name": "Mimecast Event Collector", "description": "Deprecated. Use Mimecast Event Collector v2 instead.", "note": "Use Mimecast Event Collector v2 instead.", "maintenance_start": "Feb 01, 2026", "eol_start": "Aug 01, 2026" }, { "id": "MISP", "name": "MISP", "description": "Deprecated. Malware Information Sharing Platform and Threat Sharing (This integration is deprecated, use MISP V2 instead)", "note": "Use the MISP v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "MISP V2", "name": "MISP v2", "description": "Deprecated. Use the MISP v3 integration instead.", "note": "Use the MISP v3 integration instead.", "maintenance_start": "Oct 01, 2021", "eol_start": "Apr 01, 2022" }, { "id": "MITRE ATT&CK", "name": "MITRE IDs Feed", "description": "Deprecated. Use MITRE ATT&CK Feed v2 instead.", "note": "Use MITRE ATT&CK Feed v2 instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "Moloch", "name": "Moloch", "description": "Deprecated. Use Arkime instead.", "note": "Use Arkime instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "mysql", "name": "MySQL", "description": "Deprecated. Use The Generic SQL integration instead.", "maintenance_start": "May 01, 2020", "eol_start": "May 01, 2021", "note": "Use the Generic SQL integration instead." }, { "id": "Netcraft", "name": "Netcraft", "description": "Deprecated. Use Netcraft_V2 (Display name: Netcraft) instead.", "note": "Use Netcraft_V2 (Display name: Netcraft) instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Netskope", "name": "Netskope", "description": "Cloud access security broker that enables to find, understand, and secure cloud apps. Deprecated. Use Netskope (API v1) instead.", "note": "Use Netskope (API v1) instead.", "maintenance_start": "Jun 01, 2022", "eol_start": "Dec 01, 2022" }, { "id": "NetskopeEventCollector", "name": "Netskope Event Collector", "description": "Deprecated. Use Netskope Event Collector v2 instead.", "note": "Use Netskope Event Collector v2 instead.", "maintenance_start": "Jan 01, 2026", "eol_start": "Jul 01, 2026" }, { "id": "nexpose", "name": "Nexpose", "description": "Receive vulnerability details", "maintenance_start": "Aug 01, 2019", "eol_start": "Aug 01, 2020", "note": "Use the Rapid7 Nexpose integration instead." }, { "id": "EwsExtension", "name": "O365 - EWS - Extension", "description": "Deprecated. Use ***EWS Extension Online Powershell v3*** instead.", "note": "Use ***EWS Extension Online Powershell v3*** instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "SecurityAndCompliance", "name": "O365 - Security And Compliance - Content Search", "description": "This integration allows you to manage and interact with Microsoft security and compliance content search.", "note": "", "maintenance_start": "Sep 01, 2023", "eol_start": "Mar 01, 2024" }, { "id": "SecurityAndComplianceV2", "name": "O365 - Security And Compliance - Content Search v2", "description": "Deprecated. Use the Microsoft Graph Security integration instead. This integration allows you to manage and interact with Microsoft security and compliance content search.", "note": "Use the Microsoft Graph Security integration instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "O365 Defender SafeLinks - Single User", "name": "O365 Defender SafeLinks - Single User", "description": "Deprecated. Use O365 Defender SafeLinks instead. Enables URL scanning, rewriting inbound email messages in the mail flow, time-of-click URL verification, and links in email messages and other locations.", "note": "Use O365 Defender SafeLinks instead.", "maintenance_start": "Jul 01, 2024", "eol_start": "Jan 01, 2025" }, { "id": "okta", "name": "okta", "description": "Deprecated. Use the Okta v2 integration instead.", "note": "Use the Okta v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "OpenAI", "name": "OpenAI", "description": "Deprecated. Use `OpenAI GPT` instead.", "note": "Use `OpenAI GPT` instead.", "maintenance_start": "Jun 01, 2024", "eol_start": "Dec 01, 2024" }, { "id": "OpenCTI Feed", "name": "OpenCTI Feed 3.X", "description": "Deprecated. Use OpenCTI Feed 4.X instead.", "note": "Use OpenCTI Feed 4.X instead.", "maintenance_start": "Jan 01, 2023", "eol_start": "Jul 01, 2023" }, { "id": "OpenPhish", "name": "OpenPhish", "description": "Deprecated. Use the OpenPhish v2 integration instead.", "note": "Use the OpenPhish v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "OpsGenie", "name": "OpsGenie", "description": "Deprecated. Use the OpsGenie v3 integration instead", "note": "", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "OPSWAT-Metadefender", "name": "OPSWAT-Metadefender", "description": "Deprecated. At the heart of the solution, the Metadefender multi-scanning engine uses 30+ anti-malware engines to scan files for threats, significantly increasing malware detection.", "note": "Use the OPSWAT-Metadefender v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "pagerduty", "name": "PagerDuty", "description": "Alert and notify users using PagerDuty", "maintenance_start": "Feb 01, 2019", "eol_start": "Feb 01, 2020", "note": "Use the PagerDuty v2 integration instead." }, { "id": "Autofocus", "name": "Palo Alto AutoFocus", "description": "Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks.", "note": "Use the Palo Alto Networks AutoFocus v2 integration instead.", "maintenance_start": "Jun 01, 2019", "eol_start": "Jun 01, 2020" }, { "id": "AutoFocus V2", "name": "Palo Alto Networks AutoFocus v2", "description": "Deprecated. Use the Unit 42 Intelligence integration instead.", "note": "Use the Unit 42 Intelligence integration instead.", "maintenance_start": "Nov 01, 2025", "eol_start": "Dec 01, 2025" }, { "id": "BPA", "name": "Palo Alto Networks BPA", "description": "Deprecated. Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "note": "Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Palo Alto Networks Cortex", "name": "Palo Alto Networks Cortex", "description": "Deprecated. We recommend using the Cortex Data Lake integration instead. This framework manages all PA's cloud managed products", "note": "We recommend using the Cortex Data Lake integration instead.", "maintenance_start": "Apr 01, 2020", "eol_start": "Oct 01, 2020" }, { "id": "Palo Alto Networks IoT 3rd Party", "name": "Palo Alto Networks IoT 3rd Party", "description": "Deprecated. Use the following link instead. To get the latest Palo Alto Networks IoT 3rd Party Integrations content pack, visit: https://docs.paloaltonetworks.com/iot/iot-security-integration/get-started-with-iot-security-integrations/third-party-integrations-using-a-full-featured-xsoar-server", "note": "Use the following link instead.", "maintenance_start": "Oct 01, 2023", "eol_start": "Apr 01, 2024" }, { "id": "LightCyber Magna", "name": "Palo Alto Networks Magnifier", "description": "Deprecated. Magnifier Behavioral Analytics empowers organizations to quickly find and stop the stealthiest network threats.", "note": "Product has been replaced by Cortex XDR.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Palo Alto Minemeld", "name": "Palo Alto Networks MineMeld", "description": "Deprecated. MineMeld streamlines the aggregation, enforcement and sharing of threat intelligence.", "note": "", "maintenance_start": "Oct 01, 2020", "eol_start": "Sep 1, 2021" }, { "id": "palo_alto_networks_pan_os_edl_management", "name": "Palo Alto Networks PAN-OS EDL Management", "description": "Deprecated. Use the Generic Export Indicators Service integration instead. This integration is still supported however, for customers with over 1000 Firewalls.", "note": "Use the Palo Alto Networks PAN-OS EDL Service integration instead. For customers with over 1000 Firewalls, this integration remains fully supported.", "maintenance_start": "Apr 01, 2021", "eol_start": "Oct 01, 2021" }, { "id": "Palo Alto Networks Threat Vault", "name": "Palo Alto Networks Threat Vault", "description": "Deprecated. Use Threat Vault v2 instead.", "note": "Use Threat Vault v2 instead.", "maintenance_start": "May 01, 2022", "eol_start": "Nov 01, 2022" }, { "id": "Traps", "name": "Palo Alto Networks Traps", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "WildFire", "name": "Palo Alto Networks WildFire", "description": "Deprecated. Perform malware dynamic analysis", "note": "Use the Palo Alto Networks WildFire v2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Palo Alto Traps ESM (Beta)", "name": "Palo Alto Traps ESM", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Phishme Intelligence", "name": "Phishme Intelligence", "description": "Deprecated. Human-vetted, Phishing-specific Threat Intelligence from Phishme. Deprecated. Use the Cofense Intelligence integration instead.", "note": "Use the Cofense Intelligence integration instead.", "maintenance_start": "Jan 01, 2020", "eol_start": "Jul 01, 2020" }, { "id": "PhishTank", "name": "PhishTank", "description": "Deprecated. Use the PhishTank v2 integration instead.", "note": "Use the PhishTank v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "PostgreSQL", "name": "PostgreSQL", "description": "Deprecated. Use The Generic SQL integration instead.", "note": "Use The Generic SQL integration instead.", "maintenance_start": "May 01, 2020", "eol_start": "Nov 01, 2020" }, { "id": "Preempt", "name": "Preempt", "description": "Deprecated. No available replacement. Preempt Behavioral Firewall - Detection and enforcement based on user identity", "note": "No available replacement.", "maintenance_start": "Nov 01, 2022", "eol_start": "May 01, 2023" }, { "id": "RedLock", "name": "Prisma Cloud (RedLock)", "description": "Deprecated. Use the Prisma Cloud v2 integration instead.", "note": "Use the Prisma Cloud v2 integration instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Proofpoint Server Protection", "name": "Proofpoint Protection Server", "description": "Deprecated. Use Proofpoint Protection Server V2 instead.", "note": "Use Proofpoint Protection Server V2 instead.", "maintenance_start": "Feb 01, 2021", "eol_start": "Aug 01, 2021" }, { "id": "Proofpoint TAP", "name": "Proofpoint TAP", "description": "Deprecated. Proofpoint's Targeted Attack Protection (TAP) helps protect against and provide additional visibility into phishing and other malicious email attacks.", "note": "Use the Proofpoint TAP v2 integration instead.", "maintenance_start": "Oct 01, 2019", "eol_start": "Apr 01, 2020" }, { "id": "Qualys", "name": "Qualys", "description": "Deprecated. Use Qualys VMDR instead.", "note": "Use Qualys VMDR instead.", "maintenance_start": "Aug 01, 2021", "eol_start": "Feb 01, 2022" }, { "id": "Recorded Future", "name": "Recorded Future", "description": "Deprecated. Use Recorded Future v2 from RecordedFuture pack instead. Unique threat intel technology that automatically serves up relevant insights in real time.", "note": "Use Recorded Future v2 from RecordedFuture pack instead.", "maintenance_start": "Jul 01, 2021", "eol_start": "Jan 01, 2022" }, { "id": "Remedy On-Demand", "name": "Remedy On-Demand", "description": "Deprecated. Use BMC Helix ITSM instead.", "note": "Use BMC Helix ITSM instead.", "maintenance_start": "Mar 01, 2024", "eol_start": "Sep 01, 2024" }, { "id": "remoteaccess", "name": "Remote Access", "description": "Deprecated. Use the Remote Access v2 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jan 01, 2023", "note": "Use the Remote Access v2 integration instead." }, { "id": "RSA Archer", "name": "RSA Archer", "description": "Deprecated. Use the RSA Archer v2 integration instead.", "note": "We recommend using RSA Archer v2 instead. To allow adoption and a smooth transition, maintanence mode has been extended to 12 months.", "maintenance_start": "Nov 01, 2020", "eol_start": "Nov 01, 2021" }, { "id": "SafeBreach", "name": "SafeBreach", "description": "Deprecated. SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness. Quantify the real impact of a cyber attack on your systems at any given moment. Identify remediation options. Stay ahead of attackers.", "note": "Use the SafeBreach v2 integration instead.", "maintenance_start": "Aug 01, 2020", "eol_start": "Feb 01, 2021" }, { "id": "Salesforce Event Collector", "name": "Salesforce Event Collector", "description": "Deprecated. Use Cortex XSIAM/XDR Salesforce integration instead.", "note": "Use Cortex XSIAM/XDR Salesforce integration instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Secdo", "name": "Secdo", "description": "Deprecated. Secdo's automated incident response platform hunts threats in real time and delivers an endpoint detection and response solution.", "note": "Product has been replaced by Cortex XDR.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "Server Message Block (SMB)", "name": "Server Message Block (SMB)", "description": "Deprecated. Use the Server Message Block (SMB) v2 integration instead.", "note": "Use the Server Message Block (SMB) v2 integration instead.", "maintenance_start": "Mar 01, 2021", "eol_start": "Sep 01, 2021" }, { "id": "ServiceDeskPlus (On-Premise)", "name": "Service Desk Plus (On-Premise)", "description": "Deprecated. Use the Service Desk Plus instead.", "note": "Use the Service Desk Plus instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "ServiceNow", "name": "ServiceNow", "description": "Deprecated. Use the ServiceNow v2 integration instead.", "note": "Use the ServiceNow v2 integration instead.", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "Shodan", "name": "Shodan", "description": "Deprecated. use Shodan v2 instead. Search engine for Internet-connected devices.", "note": "Use Shodan v2 instead.", "maintenance_start": "Oct 01, 2019", "eol_start": "Apr 01, 2020" }, { "id": "slack", "name": "Slack", "description": "Deprecated - We recommend using Slack v2 instead. Send messages and notifications to your Slack Team.", "maintenance_start": "Sep 01, 2019", "eol_start": "Sep 01, 2020", "note": "Use the Slack v2 integration instead." }, { "id": "SlackV2", "name": "Slack v2", "description": "Deprecated. Use SlackV3 instead.", "note": "Use SlackV3 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "SNDBOX", "name": "SNDBOX", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "May 01, 2022", "eol_start": "Nov 01, 2022" }, { "id": "mssql", "name": "SQL Server", "description": "Deprecated. Use The Generic SQL integration instead.", "maintenance_start": "May 01, 2020", "eol_start": "May 01, 2021", "note": "Use the Generic SQL integration instead." }, { "id": "Symantec Advanced Threat Protection", "name": "Symantec Advanced Threat Protection", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "Symantec Data Loss Prevention", "name": "Symantec Data Loss Prevention", "description": "Deprecated. Use the Symantec Data Loss Prevention V2 integration instead. Symantec Data Loss Prevention enables you to discover, monitor and protect your sensitive corporate information.", "note": "Use the Symantec Data Loss Prevention V2 integration instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "Symantec Endpoint Protection", "name": "Symantec Endpoint Protection 14", "description": "Deprecated. Query the Symantec Endpoint Protection Manager using the official REST API- DEPRECATED. Please use Symantec Endpoint Protection V2 integration instead.", "note": "Please use Symantec Endpoint Protection V2 integration instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "syslog", "name": "Syslog", "description": "Deprecated. Use the Syslog v2 integration instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jan 01, 2023", "note": "Use the Syslog v2 integration instead." }, { "id": "Tanium", "name": "Tanium", "description": "Deprecated. Use Tanium v2 instead.", "note": "Use Tanium v2 instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "TCPIPUtils", "name": "TCPIPUtils", "description": "Deprecated. Service has been terminated by the vendor. No available replacement.", "note": "Service has been terminated by the vendor. No available replacement.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Threat Crowd", "name": "Threat Crowd", "description": "Deprecated. Use Threat Crowd v2 instead.", "note": "Use Threat Crowd v2 instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "ThreatCrowd_v2", "name": "Threat Crowd v2", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "ThreatConnect", "name": "ThreatConnect", "description": "Deprecated. Use the ThreatConnect v3 integration instead.", "note": "Use the ThreatConnect v2 integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ThreatConnect v2", "name": "ThreatConnect v2", "description": "Deprecated. Use the ThreatConnect v3 integration instead.", "note": "Use the ThreatConnect v3 integration instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "ThreatExchange", "name": "ThreatExchange", "description": "Deprecated. Use the ThreatExchange v2 integration instead.", "note": "Use the ThreatExchange v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "ThreatQ_Beta", "name": "ThreatQ", "description": "Deprecated. Use ThreatQ v2 instead. ThreatQ Integration", "note": "Use ThreatQ v2 instead.", "maintenance_start": "Sep 01, 2023", "eol_start": "Mar 01, 2024" }, { "id": "Trend Micro", "name": "Trend Micro", "description": "Deprecated. Use Trend Micro Deep Security instead.", "note": "Use Trend Micro Deep Security instead.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "Twitter", "name": "Twitter", "description": "Deprecated. Use Twitter v2 instead.", "note": "Use Twitter v2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Unit42v2 Feed", "name": "Unit 42 ATOMs Feed", "description": "Deprecated. Use the Unit 42 Feed integration instead.", "note": "Use the Unit 42 Feed integration instead.", "maintenance_start": "Nov 01, 2025", "eol_start": "Dec 01, 2025" }, { "id": "Unit42 Feed", "name": "Unit 42 Feed", "description": "Deprecated. Use Unit42 ATOMs Feed instead.", "note": "Use Unit42 ATOMs Feed instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "Unit42IntelObjectsFeed", "name": "Unit 42 Intel Objects Feed", "description": "Deprecated. Use the Unit 42 Feed integration instead.", "note": "Use the Unit 42 Feed integration instead.", "maintenance_start": "Nov 01, 2025", "eol_start": "Dec 01, 2025" }, { "id": "Vectra", "name": "Vectra", "description": "Deprecated. Use Vectra Detect instead.", "note": "Use Vectra Detect instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Vectra v2", "name": "Vectra v2", "description": "Deprecated. Use Vectra Detect instead.", "note": "Use Vectra Detect instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Venafi", "name": "Venafi", "description": "Deprecated. Use Venafi TLS Protect instead.", "note": "Use Venafi TLS Protect instead.", "maintenance_start": "Jun 01, 2024", "eol_start": "Dec 01, 2024" }, { "id": "carbonblack-v2", "name": "VMware Carbon Black EDR", "description": "Deprecated. Use VMware Carbon Black EDR v2 instead.", "note": "Use VMware Carbon Black EDR v2 instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Carbon Black Defense", "name": "VMware Carbon Black Endpoint Standard", "description": "Deprecated. Use Carbon Black Endpoint Standard instead.", "note": "Use Carbon Black Endpoint Standard instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "Windows Defender Advanced Threat Protection", "name": "Windows Defender Advanced Threat Protection", "description": "Deprecated. Use the Microsoft Defender for Endpoint pack instead.", "note": "Use the Microsoft Defender for Endpoint pack instead.", "maintenance_start": "Apr 01, 2020", "eol_start": "Oct 01, 2020" }, { "id": "Zendesk", "name": "Zendesk -", "description": "Deprecated. Use the Zendesk v2 integration instead.", "note": "Use the Zendesk v2 integration instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" } ], "scripts": [ { "id": "ADExpirePassword", "name": "ADExpirePassword", "description": "Deprecated. Expire the password of an Active Directory user.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetAllUsersEmail", "name": "ADGetAllUsersEmail", "description": "Deprecated. Use Active Directory to retrieve the email address associated with all users.", "note": "", "maintenance_start": "Aug 01, 2017", "eol_start": "Feb 01, 2018" }, { "id": "ADGetCommonGroups", "name": "ADGetCommonGroups", "description": "Deprecated. Use Active Directory to get common groups between supplied users.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetComputer", "name": "ADGetComputer", "description": "Deprecated. Use the ad-get-computer command in the Active Directory Query v2 instead.\nUse Active Directory to retrieve detailed information about a computer account. The computer can be specified by name, email, or as an Active Directory Distinguished Name (DN).\nIf no filters are provided, the result will show all computers.", "note": "Use the ad-get-computer command in the Active Directory Query v2 instead.", "maintenance_start": "Apr 01, 2019", "eol_start": "Oct 01, 2019" }, { "id": "ADGetComputerGroups", "name": "ADGetComputerGroups", "description": "Deprecated. Use Active Directory to retrieve the groups in which the specified computer is a member. The member computer can be specified by name or by DN.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetEmailForAllUsers", "name": "ADGetEmailForAllUsers", "description": "Deprecated. Use Active Directory to retrieve the email address associated with all users.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetEmailForUser", "name": "ADGetEmailForUser", "description": "Deprecated. Use Active Directory to retrieve the email address associated with the specified user. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetGroupComputers", "name": "ADGetGroupComputers", "description": "Deprecated. Use Active Directory to retrieve the list of computers that are members of the specified group. Group must be given by its AD Distinguished Name. The \\\"attributes\\\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\\nExample usage - !ADGetGroupComputers groupdn=\\\"CN=ImportantComputers,DC=demisto,DC=com\\\" attributes=operatingsystem", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetGroupMembers", "name": "ADGetGroupMembers", "description": "Deprecated. Use Active Directory to retrieve the list of users or computers that are members of the specified group. Group must be given by its AD Distinguished Name. The attributes argument receives a comma-separated list of additional attributes you wish to be displayed in the results.nExample usage !ADGetGroupMembers memberType=user groupdn=CN=Administrators,CN=Builtin,DC=acme,DC=int attributes=name,email", "note": "", "maintenance_start": "Apr 01, 2019", "eol_start": "Oct 01, 2019" }, { "id": "ADGetGroupUsers", "name": "ADGetGroupUsers", "description": "Deprecated. Use Active Directory to retrieve the list of users who are members of the specified group. Group must be given by its AD Distinguished Name. The \\\"attributes\\\" argument receives a comma-separated list of additional attributes you wish to be displayed in the results.\\nExample usage !ADGetGroupUsers groupdn=CN=Domain Admins,CN=Users,DC=demisto,DC=com attributes=badPwdCount,memberOf", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetUser", "name": "ADGetUser", "description": "Deprecated. Use the ad-get-user command in the Active Directory v2 integration instead.account['Groups'] = demisto.get( Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).\nIf no filter is provided, the result will show all users.", "note": "Use the ad-get-user command in the Active Directory v2 integration instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "ADGetUserGroups", "name": "ADGetUserGroups", "description": "Deprecated. Use Active Directory to retrieve the groups in which the specified user is a member. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADGetUsersByEmail", "name": "ADGetUsersByEmail", "description": "Deprecated. Use Active Directory to retrieve the user associated with the specified email address.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADIsUserMember", "name": "ADIsUserMember", "description": "Deprecated. Use Active Directory to check if the specified user is a member of the specified group. Returns simply yes/no. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADListComputers", "name": "ADListComputers", "description": "Deprecated. Retrieve the list of Computer objects stored in Active Directory. Use the attributes argument to include specific attributes in the results.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADListUsers", "name": "ADListUsers", "description": "Deprecated. Retrieve the list of User objects stored in Active Directory. Use the \"attributes\" argument to include specific attributes in the results.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADListUsersEx", "name": "ADListUsersEx", "description": "Deprecated. Retrieve the list of User objects stored in Active Directory and include an extended list of attributes and information about each user. Use the \"attributes\" argument to include additional specific attributes in the results.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "AdSearch", "name": "AdSearch", "description": "Deprecated. Run Active Directory queries", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADSetNewPassword", "name": "ADSetNewPassword", "description": "Deprecated. Set a new password for an Active Directory user", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "ADUserLogonInfo", "name": "ADUserLogonInfo", "description": "Deprecated. Use Active Directory to retrieve detailed information about a user account. The user can be specified by name, email or as an Active Directory Distinguished Name (DN).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "AggregateIOCs", "name": "AggregateIOCs", "description": "Deprecated. Aggregating several context items for IOCs into a single list", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "AquatoneDiscover", "name": "AquatoneDiscover", "description": "Deprecated. Use AquatoneDiscoverV2 from the CommonScripts pack instead.", "note": "Use AquatoneDiscoverV2 from the CommonScripts pack instead.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "ArcherCreateSecurityIncident", "name": "ArcherCreateSecurityIncident", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "ArcherUpdateSecurityIncident", "name": "ArcherUpdateSecurityIncident", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "Autoruns", "name": "Autoruns", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "AwsCreateImage", "name": "AwsCreateImage", "description": "Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.", "note": "Use the AWS-EC2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "AwsCreateVolumeSnapshot", "name": "AwsCreateVolumeSnapshot", "description": "Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.", "note": "Use the AWS-EC2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "AwsGetInstanceInfo", "name": "AwsGetInstanceInfo", "description": "Deprecated. Get AWS EC2 instance details", "note": "", "maintenance_start": "May 01, 2020", "eol_start": "Nov 01, 2020" }, { "id": "AwsRunInstance", "name": "AwsRunInstance", "description": "Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.", "note": "Use the AWS-EC2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "AwsStartInstance", "name": "AwsStartInstance", "description": "Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.", "note": "Use the AWS-EC2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "AwsStopInstance", "name": "AwsStopInstance", "description": "Deprecated. This script is deprecated. Use the AWS-EC2 integration instead.", "note": "Use the AWS-EC2 integration instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "BinaryReputationPy", "name": "BinaryReputationPy", "description": "Deprecated. Get reputation for any hash or file in the incident details", "note": "", "maintenance_start": "Mar 01, 2018", "eol_start": "Sep 01, 2018" }, { "id": "BinarySearchPy", "name": "BinarySearchPy", "description": "Deprecated. No available replacement. Search for a binary on an endpoint using Carbon Black", "note": "No available replacement.", "maintenance_start": "Jun 01, 2022", "eol_start": "Dec 01, 2022" }, { "id": "BlockIP", "name": "BlockIP", "description": "Deprecated. Blocks IP in configured firewall", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "CBFindHash", "name": "CBFindHash", "description": "Deprecated. Search Carbon Black for connection to specified md5 hash(es).", "note": "", "maintenance_start": "Dec 01, 2018", "eol_start": "Jun 01, 2019" }, { "id": "CBLiveFetchFiles", "name": "CBLiveFetchFiles", "description": "Deprecated. Use CBLiveGetFile_V2 instead. Live.", "note": "Use CBLiveGetFile_V2 instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CBLiveGetFile", "name": "CBLiveGetFile", "description": "Deprecated. Use CBLiveGetFile_V2 instead. Use Carbon black Response Live session to retrieve a file from an endpoint. Endpoint needs to have a CbResponse sensor deployed.", "note": "Use CBLiveGetFile_V2 instead.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" }, { "id": "CBLiveProcessList", "name": "CBLiveProcessList", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "CBPApproveHash", "name": "CBPApproveHash", "description": "Deprecated. Use the cbp-fileRule-createOrUpdate command instead.", "note": "Use the cbp-fileRule-createOrUpdate command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CBPBanHash", "name": "CBPBanHash", "description": "Deprecated. Use the cbp-fileRule-createOrUpdate command instead.", "note": "Use the cbp-fileRule-createOrUpdate command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CBSearch", "name": "CBSearch", "description": "Deprecated. use the cb-binary command and cb-get-processes command, instead.", "note": "Use the cb-binary command and cb-get-processes command, instead.", "maintenance_start": "Aug 01, 2019", "eol_start": "Feb 01, 2020" }, { "id": "CheckFiles", "name": "CheckFiles", "description": "Deprecated. Iterate on all file artifacts in the investigation and return details of positives", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CheckFilesWildfirePy", "name": "CheckFilesWildfirePy", "description": "Deprecated. use \"WildFire - Detonate File\" playbook instead", "note": "", "maintenance_start": "Jun 01, 2019", "eol_start": "Dec 01, 2019" }, { "id": "CheckIPs", "name": "CheckIPs", "description": "Deprecated. Get reputation for IPs in the incident or given raw text", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CheckPointDownloadBackup", "name": "CheckPointDownloadBackup", "description": "Deprecated. Use ssh command instead. Downloads the Check Point policy backup to the Cortex XSOAR War Room.", "note": "Use ssh command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "CheckpointFWBackupStatus", "name": "CheckpointFWBackupStatus", "description": "Deprecated. Use ssh command instead. Connect to a CheckPoint firewall appliance using SSH and retrieve the status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built-in CheckPoint CLI. For more information, consult the CheckPoint documentation.", "note": "Use ssh command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CheckpointFWCreateBackup", "name": "CheckpointFWCreateBackup", "description": "Deprecated. Use ssh command instead. Connect to a Check Point firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built-in Check Point CLI. For more information, consult the CheckPoint documentation.", "note": "Use ssh command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CheckURLs", "name": "CheckURLs", "description": "Deprecated. Check the URLs in the incident, or raw text provided as argument, for malicious URLs", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CheckWhitelist", "name": "CheckWhitelist", "description": "Deprecated. Check whether the given item is in the allow list", "note": "", "maintenance_start": "Aug 01, 2018", "eol_start": "Feb 01, 2019" }, { "id": "ClassifierNotifyAdmin", "name": "ClassifierNotifyAdmin", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "CloseInvestigation", "name": "CloseInvestigation", "description": "Deprecated. Close an investigation", "note": "", "maintenance_start": "Nov 01, 2018", "eol_start": "May 01, 2019" }, { "id": "CommonIntegration", "name": "CommonIntegration", "description": "Deprecated. Common code that will be merged into each server integration when it runs", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CommonIntegrationPython", "name": "CommonIntegrationPython", "description": "Deprecated. Common code that will be merged into each server integration when it runs", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "ConferIncidentDetails", "name": "ConferIncidentDetails", "description": "Deprecated. Display the incident details retrieved from Confer in a readable format", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ConferSetSeverity", "name": "ConferSetSeverity", "description": "Deprecated. Set incident severity according to indicators found in an confer alert", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "CPBlockIP", "name": "CPBlockIP", "description": "Deprecated. Block one or more IP addresses using Checkpoint Firewall.", "note": "", "maintenance_start": "Dec 01, 2018", "eol_start": "Jun 01, 2019" }, { "id": "CPCreateBackup", "name": "CPCreateBackup", "description": "Deprecated. Connect to a checkpoint firewall appliance using SSH and trigger a task to create a configuration backup of the device. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPDeleteRule", "name": "CPDeleteRule", "description": "Deprecated. Delete access rule objects configured in Checkpoint FW.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPSetRule", "name": "CPSetRule", "description": "Deprecated. Set attributes of an access rule object configured in Checkpoint FW.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPShowAccessRulebase", "name": "CPShowAccessRulebase", "description": "Deprecated. Show items in an access rulebase configured in Checkpoint FW.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPShowBackupStatus", "name": "CPShowBackupStatus", "description": "Deprecated. Connect to a checkpoint firewall appliance using SSH and retrieve status for backup tasks. The user account being used to access the device must be set to use the SSH shell and not the built in Checkpoint CLI. Consult the Checkpoint documentation for instructions on how to do this.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPShowHosts", "name": "CPShowHosts", "description": "Deprecated. Show host objects configured in Checkpoint FW.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CPTaskStatus", "name": "CPTaskStatus", "description": "Deprecated. Shows status of a checkpoint task by task uuid.", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "CrowdStrikeUrlParse", "name": "CrowdStrikeUrlParse", "description": "Deprecated. Use CrowdStrike Falcon instead.", "note": "Use CrowdStrike Falcon instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "CSActors", "name": "CSActors", "description": "Deprecated. Query CrowdStrike actors based on given parameters. For fields like countries and industries, multiple values can be passed separated by ','.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CSCountDevicesForIOC", "name": "CSCountDevicesForIOC", "description": "Deprecated. List the number devices that match each IOC in query - limited to sha256, sha1, md5 and domain types", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CSHuntByIOC", "name": "CSHuntByIOC", "description": "Deprecated. List devices that match a specific IOC - an IOC ran on them - limited to sha256, sha1, md5 and domain types", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CSIndicators", "name": "CSIndicators", "description": "Deprecated. Query CrowdStrike indicators based on given parameters.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "CuckooDetonateFile", "name": "CuckooDetonateFile", "description": "Deprecated. Use the 'cuckoo-create-task-from-file' command instead.", "note": "Use the 'cuckoo-create-task-from-file' command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CuckooDetonateURL", "name": "CuckooDetonateURL", "description": "Deprecated. Use 'cuckoo-create-task-from-url' instead.", "note": "Use 'cuckoo-create-task-from-url' instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CuckooGetReport", "name": "CuckooGetReport", "description": "Deprecated. Use the 'cuckoo-get-task-report' command instead.", "note": "Use the 'cuckoo-get-task-report' command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CuckooGetScreenshot", "name": "CuckooGetScreenshot", "description": "Deprecated. Use 'cuckoo-task-screenshot' command instead.", "note": "Use 'cuckoo-task-screenshot' command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "CuckooTaskStatus", "name": "CuckooTaskStatus", "description": "Deprecated. Use the 'cuckoo-view-task' command instead.", "note": "Use the 'cuckoo-view-task' command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "5d44a5d9-d91a-4420-801f-755f26b60c47", "name": "cveLatest", "description": "Deprecated. No available replacement. Displays the latest updated CVE entries.", "note": "No available replacement.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "cveReputation", "name": "cveReputation", "description": "Deprecated. Use CveReputationV2 (in CommonScripts) instead.", "note": "Use CveReputationV2 (in CommonScripts) instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "c99e196b-e05e-41f2-82cb-6798f33cb653", "name": "cveSearch", "description": "Deprecated. No available replacement. Search vulnerability information based on CVE ID.", "note": "No available replacement.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "CYFileRep", "name": "CYFileRep", "description": "Deprecated. This script is deprecated. Use the Cylance integration instead.", "note": "Use the Cylance integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "D2Remove", "name": "D2Remove", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "DataDomainReputation", "name": "DataDomainReputation", "description": "Deprecated. Evaluate reputation of a URL and Domain and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "DataHashReputation", "name": "DataHashReputation", "description": "Deprecated. Evaluate reputation of a hash and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "DataIPReputation", "name": "DataIPReputation", "description": "Deprecated. Evaluate reputation of an IP and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "DataURLReputation", "name": "DataURLReputation", "description": "Deprecated. Evaluate reputation of a URL and return a score between 0 and 3 (0 - unknown, 1 - known good, 2 - suspicious, 3 - known bad). If the indicator reputation was manually set, the manual value will be returned.", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "DBotMLFetchData", "name": "DBotMLFetchData", "description": "Deprecated. No available replacement. Collect telemetry data from the environment.", "note": "No available replacement.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DBotPredictOutOfTheBox", "name": "DBotPredictOutOfTheBox", "description": "Deprecated. Use DBotPredictOutOfTheBoxV2 instead.", "note": "Use DBotPredictOutOfTheBoxV2 instead.", "maintenance_start": "Nov 01, 2021", "eol_start": "May 01, 2022" }, { "id": "DBotPredictPhishingEvaluation", "name": "DBotPredictPhishingEvaluation", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DBotPredictPhishingLabel", "name": "DBotPredictPhishingLabel", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DBotPredictTextLabel", "name": "DBotPredictTextLabel", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DBotPreparePhishingData", "name": "DBotPreparePhishingData", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DBotSuggestClassifierMapping", "name": "DBotSuggestClassifierMapping", "description": "Deprecated. No available replacement. Suggests a classifier mapping based on an advanced name matching algorithm.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "DBotTrainTextClassifier", "name": "DBotTrainTextClassifier", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "DefaultIncidentClassifier", "name": "DefaultIncidentClassifier", "description": "Deprecated. Classify an incident from mail.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "DemistoDeleteIncident", "name": "DemistoDeleteIncident", "description": "Deprecated. Delete an incident from Demisto (note action is irreversible)", "note": "", "maintenance_start": "Oct 01, 2018", "eol_start": "Apr 01, 2019" }, { "id": "DemistoGetIncidentTasksByState", "name": "DemistoGetIncidentTasksByState", "description": "Deprecated. Use GetIncidentTasksByState instead.", "note": "Use GetIncidentTasksByState instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "DemistoLeaveAllInvestigations", "name": "DemistoLeaveAllInvestigations", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "DemistoLinkIncidents", "name": "DemistoLinkIncidents", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "DemistoLogsBundle", "name": "DemistoLogsBundle", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "DemistoSendInvite", "name": "DemistoSendInvite", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "DemistoUploadFile", "name": "DemistoUploadFile", "description": "Deprecated. Use UploadFileV2 instead.", "note": "Use UploadFileV2 instead.", "maintenance_start": "Aug 01, 2020", "eol_start": "Feb 01, 2021" }, { "id": "DemistoUploadFileToIncident", "name": "DemistoUploadFileToIncident", "description": "Deprecated. Use the *DemistoUploadFileV2* script instead. Copies a file from this incident to the specified incident. The file is uploaded as an attachment to the specified incident\u2019s Summary page, and recorded as an entry in the War Room.", "note": "Use the *DemistoUploadFileV2* script instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "DemistoUploadFileV2", "name": "DemistoUploadFileV2", "description": "Deprecated. Use UploadFile instead.", "note": "Use UploadFile instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "DocumentationAutomation", "name": "DocumentationAutomation", "description": "Deprecated. The recommended way to generate documentation is via the demisto-sdk.\nSee: https://xsoar.pan.dev/docs/integrations/integration-docs", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "Elasticsearch", "name": "Elasticsearch", "description": "Deprecated. Use the Elasticsearch v2 integration instead.\n\nRun a search query using Elasticsearch", "note": "Use the Elasticsearch v2 integration instead.", "maintenance_start": "Oct 01, 2019", "eol_start": "Apr 01, 2020" }, { "id": "ElasticSearchDisplay", "name": "ElasticSearchDisplay", "description": "Deprecated. Use the Elasticsearch v2 integration instead.\n\nRuns an Elasticsearch query and displays results in a table.", "note": "Use the Elasticsearch v2 integration instead.", "maintenance_start": "Oct 01, 2019", "eol_start": "Apr 01, 2020" }, { "id": "EPOCheckLatestDAT", "name": "EPOCheckLatestDAT", "description": "Deprecated. Check latest version of the DAT AV signature update.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPODetermineRepository", "name": "EPODetermineRepository", "description": "Deprecated. Holds the logic to choose the ePO repositories to operate on when executing the containing playbook. In the simple default script provided, the instance name is picked manually.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPOFindSystem", "name": "EPOFindSystem", "description": "Deprecated. Use the \"McAfe ePO v2 integration command epo-find-system\" instead.\n\nReturn system info", "note": "Use the \"McAfe ePO v2 integration command epo-find-system\" instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "EPORepoList", "name": "EPORepoList", "description": "Deprecated. List all configured instances of ePO integration.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPORepositoryComplianceCheck", "name": "EPORepositoryComplianceCheck", "description": "Deprecated. Check a list of ePO servers to see if they are up to date.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPORetrieveCurrentDATVersion", "name": "EPORetrieveCurrentDATVersion", "description": "Deprecated. Retrieve DAT version currently installed in the given ePO server", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPOUpdateEndpoints", "name": "EPOUpdateEndpoints", "description": "Deprecated. Trigger an ePO Client Task to update AV signatures for specific endpoints", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EPOUpdateRepository", "name": "EPOUpdateRepository", "description": "Deprecated. Trigger a Server Task in specific ePO servers to pull latest signatures from update server", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "EsmExample", "name": "EsmExample", "description": "Deprecated. Example of using McAfee ESM (Nitro) with advanced filters", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ExchangeAssignRole", "name": "ExchangeAssignRole", "description": "Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.", "note": "Please use the Exchange 2016 Compliance Search integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ExchangeDeleteIDsFromContext", "name": "ExchangeDeleteIDsFromContext", "description": "Deprecated. Delete Mails with ID's under the context key \"ExchangeItemIDs\"", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "ExchangeDeleteMail", "name": "ExchangeDeleteMail", "description": "Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.", "note": "Please use the Exchange 2016 Compliance Search integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ExchangeSearch", "name": "ExchangeSearch", "description": "Deprecated. Search mails in Exchange Web Server", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "ExchangeSearchMailbox", "name": "ExchangeSearchMailbox", "description": "Deprecated. This script is deprecated. Please use the Exchange 2016 Compliance Search integration instead.", "note": "Please use the Exchange 2016 Compliance Search integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "ExpanseAggregateAttributionCI", "name": "ExpanseAggregateAttributionCI", "description": "Deprecated. No available replacement. > Aggregate entries from ServiceNow CMDB into AttributionCI.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseAggregateAttributionDevice", "name": "ExpanseAggregateAttributionDevice", "description": "Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionDevice.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseAggregateAttributionIP", "name": "ExpanseAggregateAttributionIP", "description": "Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionIP.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseAggregateAttributionUser", "name": "ExpanseAggregateAttributionUser", "description": "Deprecated. No available replacement. > Aggregate entries from multiple sources into AttributionUser.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseEnrichAttribution", "name": "ExpanseEnrichAttribution", "description": "Deprecated. No available replacement. > This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseEvidenceDynamicSection", "name": "ExpanseEvidenceDynamicSection", "description": "Deprecated. No available replacement. > Dynamic Section script used in Expanse Issue layout to display the Latest Evidence structure.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseGenerateIssueMapWidgetScript", "name": "ExpanseGenerateIssueMapWidgetScript", "description": "Deprecated. No available replacement.\nThis widget script generates a map of the Open Expanse Issue Incidents with provider On Prem.\nThe map is generated as a static PNG file embedded in Markdown.\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpansePrintSuggestions", "name": "ExpansePrintSuggestions", "description": "Deprecated. No available replacement. > Generates and prints a report in markdown format containing useful suggestions for the Analyst to attribute an Expanse Issue to an owner.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExpanseRefreshIssueAssets", "name": "ExpanseRefreshIssueAssets", "description": "Deprecated. No available replacement. > Script to refresh tags and attribution reasons of assets inside Expanse Issue. The script should be used inside the Expanse Issue incident context.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "ExposeList", "name": "ExposeList", "description": "Deprecated. Retruns Demisto list", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "ExposeModules", "name": "ExposeModules", "description": "Deprecated. Returns all Demisto modules (integrations instances)", "note": "", "maintenance_start": "Jul 01, 2017", "eol_start": "Jan 01, 2018" }, { "id": "ExposeUsers", "name": "ExposeUsers", "description": "Deprecated. Returns Demisto users", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "ExtractDomain", "name": "ExtractDomain", "description": "Deprecated. We recommend using extractIndicators command instead. Extract Domains from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "ExtractDomainFromURL", "name": "ExtractDomainFromURL", "description": "Deprecated. Extract Domain from a URL. Domain will include sub-domain as well", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "ExtractEmail", "name": "ExtractEmail", "description": "Deprecated. We recommend using extractIndicators command instead. Extract Emails from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "ExtractHash", "name": "ExtractHash", "description": "Deprecated. We recommend using extractIndicators command instead. Extract md5, sha1, sha256 from the given text and place them both as output and in the context of a playbook", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "ExtractIP", "name": "ExtractIP", "description": "Deprecated. We recommend using extractIndicators command instead. Extract IPs from the given text and place them both as output and in the context of a playbook.", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "ExtractURL", "name": "ExtractURL", "description": "Deprecated. We recommend using extractIndicators command instead. Extract URLs from the given text and place them both as output and in the context of a playbook. If given an object, will convert to JSON.", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "FileCreateAndUpload", "name": "FileCreateAndUpload", "description": "Deprecated. Use FileCreateAndUploadV2 instead. Will create a file (using the given data input or entry ID) and upload it to current investigation war room.\n", "note": "Use FileCreateAndUploadV2 instead.", "maintenance_start": "Jun 01, 2022", "eol_start": "Dec 01, 2022" }, { "id": "FindSimilarIncidents", "name": "FindSimilarIncidents", "description": "Deprecated. Use DBotFindSimilarIncidents instead.\n\nFinds similar incidents by common incident keys, labels, custom fields or context keys.\nIt's highly recommended to use incident keys if possible (e.g., \"type\" for the same incident type).\nFor best performance, it's recommended to avoid using context keys if possible (for example, if the value also appears in a label key, use label).\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script", "note": "Use DBotFindSimilarIncidents instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "FindSimilarIncidentsByText", "name": "FindSimilarIncidentsByText", "description": "Deprecated. Use DBotFindSimilarIncidents instead.\nFind similar incidents by text comparison - the algorithm based on TF-IDF method.\nTo read more about this method: https://en.wikipedia.org/wiki/Tf%E2%80%93idf\n\nThis automation runs using the default Limited User role, unless you explicitly\nchange the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script", "note": "Use DBotFindSimilarIncidents instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "GetContextValue", "name": "GetContextValue", "description": "Deprecated. The script returns a value from context", "note": "", "maintenance_start": "Jun 01, 2018", "eol_start": "Dec 01, 2018" }, { "id": "GetDuplicatesMl", "name": "GetDuplicatesMl", "description": "Deprecated. Find duplicate incidents candidates. Using machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as - labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.", "note": "", "maintenance_start": "Aug 01, 2018", "eol_start": "Feb 01, 2019" }, { "id": "GetDuplicatesMlv2", "name": "GetDuplicatesMlv2", "description": "Deprecated. Use the \"PhishingDedupPreprocessingRule\" script instead.\nFind duplicate incidents candidates.\nUsing machine learning techniques with pre-defined data (can also use data from the local environment), this script takes into consideration different features such as: labels comparison, email labels (relevant for phishing), incident time difference and shared indicators, which can be customized by the arguments.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script", "note": "Use the \"PhishingDedupPreprocessingRule\" script instead.", "maintenance_start": "Jan 01, 2021", "eol_start": "Jul 01, 2021" }, { "id": "GetIncidentTasksByState", "name": "GetIncidentTasksByState", "description": "Deprecated. Use the GetIncidentTasks script instead.", "note": "Use the GetIncidentTasks script instead.", "maintenance_start": "Mar 01, 2024", "eol_start": "Sep 01, 2024" }, { "id": "getMlFeatures", "name": "getMlFeatures", "description": "Deprecated. This script is deprecated. See https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2 for more information.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "GoogleappsGetUser", "name": "GoogleappsGetUser", "description": "Deprecated. Fetch info on specific user", "note": "", "maintenance_start": "May 01, 2018", "eol_start": "Nov 01, 2018" }, { "id": "GoogleappsGetUserRoles", "name": "GoogleappsGetUserRoles", "description": "Deprecated. Retrieves a list of all roleAssignments.", "note": "", "maintenance_start": "May 01, 2018", "eol_start": "Nov 01, 2018" }, { "id": "GoogleappsGmailGetMail", "name": "GoogleappsGmailGetMail", "description": "Deprecated. Gets the specified message.", "note": "", "maintenance_start": "May 01, 2018", "eol_start": "Nov 01, 2018" }, { "id": "GoogleappsGmailSearch", "name": "GoogleappsGmailSearch", "description": "Deprecated. Search the messages in the user's mailbox.", "note": "", "maintenance_start": "May 01, 2018", "eol_start": "Nov 01, 2018" }, { "id": "GoogleappsListUsers", "name": "GoogleappsListUsers", "description": "Deprecated. Retrieves a paginated list of either deleted users or all users in a domain", "note": "", "maintenance_start": "May 01, 2018", "eol_start": "Nov 01, 2018" }, { "id": "GoogleappsRevokeUserRole", "name": "GoogleappsRevokeUserRole", "description": "Deprecated. Deletes a role assignment.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "GoogleAuthURL", "name": "GoogleAuthURL", "description": "Deprecated. This script is deprecated. The demistobot endpoint is no longer supported.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "GrrGetFiles", "name": "GrrGetFiles", "description": "Deprecated. Use grr_get_files instead.", "note": "Use grr_get_files instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "GrrGetFlows", "name": "GrrGetFlows", "description": "Deprecated. Use grr-get-flows instead.", "note": "Use grr-get-flows instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "GrrGetHunt", "name": "GrrGetHunt", "description": "Deprecated. Use grr_get_hunt instead.", "note": "Use grr_get_hunt instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "GrrGetHunts", "name": "GrrGetHunts", "description": "Deprecated. Use grr_get_hunts instead.", "note": "Use grr_get_hunts instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "GrrSetFlows", "name": "GrrSetFlows", "description": "Deprecated.Use grr-set-flows instead.", "note": "Use grr-set-flows instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "GrrSetHunts", "name": "GrrSetHunts", "description": "Deprecated. Use grr_set_hunts instead.", "note": "Use grr_set_hunts instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "HTMLDocsAutomation", "name": "HTMLDocsAutomation", "description": "Deprecated. The recommended way to generate documentation is via the demisto-sdk. \nSee: https://xsoar.pan.dev/docs/integrations/integration-docs", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "ImportSigmaRulesFromZIP", "name": "ImportSigmaRulesFromZIP", "description": "Deprecated. Use CreateSigmaRuleIndicator instead.", "note": "Use CreateSigmaRuleIndicator instead.", "maintenance_start": "Jun 01, 2025", "eol_start": "Dec 01, 2025" }, { "id": "ImpSfSetEndpointStatus", "name": "ImpSfSetEndpointStatus", "description": "Deprecated. Call imp-sf-set-endpoint-status directly. No available replacement.", "note": "Call imp-sf-set-endpoint-status directly. No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "IncidentSet", "name": "IncidentSet", "description": "Deprecated. Modify incident info such as name, owner, type, etc.", "note": "", "maintenance_start": "Jul 01, 2018", "eol_start": "Jan 01, 2019" }, { "id": "IncidentToContext", "name": "IncidentToContext", "description": "Deprecated. Inserts incident info and labels into context for use inside playbooks.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "IngestCSV", "name": "IngestCSV", "description": "Deprecated. Finds a CSV file in the war room and loads it into context.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "InviteUser", "name": "InviteUser", "description": "Deprecated. Send a notification to another user and add user to the team", "note": "", "maintenance_start": "Mar 01, 2019", "eol_start": "Sep 01, 2019" }, { "id": "IPExtract", "name": "IPExtract", "description": "Deprecated. Extract IPs from the given text and place them both as output and in the context of a playbook", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "IPInfoQuery", "name": "IPInfoQuery", "description": "Deprecated. Query ipinfo.io regarding an IP address. Returns a table, or if a specific field is selected, just the value for that field as a string.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "IsContextSet", "name": "IsContextSet", "description": "Deprecated. Check if a context key is set. Can also optionally provide a value argument to compare against context data for this key.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "IsIPInSubnet", "name": "IsIPInSubnet", "description": "Deprecated. Returns 'yes' if IP is in subent. Otherwise returns 'no'", "note": "", "maintenance_start": "Jan 01, 2018", "eol_start": "Jul 01, 2018" }, { "id": "IsPDFFileEncrypted", "name": "IsPDFFileEncrypted", "description": "Checks whether the PDF file is encrypted.", "note": "", "maintenance_start": "May 01, 2025", "eol_start": "Nov 01, 2025" }, { "id": "JiraCreateIssue", "name": "JiraCreateIssue", "description": "Deprecated. Create a new issue on Jira", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "JiraGetIssue", "name": "JiraGetIssue", "description": "Deprecated. Fetch issue from Jira", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "JiraIssueAddComment", "name": "JiraIssueAddComment", "description": "Deprecated. Add new comment to existing Jira issue", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "JiraIssueAddLink", "name": "JiraIssueAddLink", "description": "Deprecated. Creates (or updates) issue link", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "JiraIssueQuery", "name": "JiraIssueQuery", "description": "Deprecated. Query Jira issues", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "JiraIssueUploadFile", "name": "JiraIssueUploadFile", "description": "Deprecated. Upload a file attachments to an issue", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "LCMAcknowledgeHost", "name": "LCMAcknowledgeHost", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMDetectedEntities", "name": "LCMDetectedEntities", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMDetectedIndicators", "name": "LCMDetectedIndicators", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMHosts", "name": "LCMHosts", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMIndicatorsForEntity", "name": "LCMIndicatorsForEntity", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMPathFinderScanHost", "name": "LCMPathFinderScanHost", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMResolveHost", "name": "LCMResolveHost", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LCMSetHostComment", "name": "LCMSetHostComment", "description": "Deprecated. This script is deprecated. LightCyber Magna is no longer available.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "LocateAttachment", "name": "LocateAttachment", "description": "Deprecated. Identify whether the incident includes an attached file. Optional typefilter argument can be used to only match if the filetype includes that string. Same for filename. Filetype is according to the linux \"file\" command (filemagic format identification).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "MarketplacePackInstaller", "name": "MarketplacePackInstaller", "description": "Deprecated. Use ContentPackInstaller instead.", "note": "Use ContentPackInstaller instead.", "maintenance_start": "Jan 01, 2022", "eol_start": "Jul 01, 2022" }, { "id": "MatchIPinCIDRIndicators", "name": "MatchIPinCIDRIndicators", "description": "Deprecated. No available replacement. > Match provided IP address in all the Indicators of type CIDR with the provided tags (longest match).", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "MatchRegex", "name": "MatchRegex", "description": "Deprecated. Use the **MatchRegexV2** script instead.", "note": "Use the **MatchRegexV2** script instead.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "MD5Extract", "name": "MD5Extract", "description": "Deprecated. Extract md5s from the given text and place them both as output and in the context of a playbook", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "MimecastQuery", "name": "MimecastQuery", "description": "Deprecated. Use mimecast-query command instead.", "note": "Use mimecast-query command instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "misp_download_sample", "name": "misp_download_sample", "description": "Deprecated. No available replacement. Download malicious file sample from MISP.", "note": "No available replacement.", "maintenance_start": "Feb 01, 2019", "eol_start": "Aug 01, 2019" }, { "id": "misp_upload_sample", "name": "misp_upload_sample", "description": "Deprecated. No available replacement. Upload malicious file sample to MISP.", "note": "No available replacement.", "maintenance_start": "Feb 01, 2019", "eol_start": "Aug 01, 2019" }, { "id": "MitreIDLayoutDynamicSection", "name": "MitreIDLayoutDynamicSection", "description": "Deprecated. Use FeedMitreAttackv2 instead.", "note": "Use FeedMitreAttackv2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "MITREIndicatorsByOpenIncidents", "name": "MITREIndicatorsByOpenIncidents", "description": "Deprecated. Use FeedMitreAttackv2 instead.", "note": "Use FeedMitreAttackv2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "MitreNameLayoutDynamicSection", "name": "MitreNameLayoutDynamicSection", "description": "Deprecated. Use FeedMitreAttackv2 instead.", "note": "Use FeedMitreAttackv2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "NessusCreateScan", "name": "NessusCreateScan", "description": "Deprecated. Creates a new scan", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusGetReport", "name": "NessusGetReport", "description": "Deprecated. Get report for a scan. Triggers an export in the requested file format, waits 5 minutes for it to complete (or whatever timeout given as an argument) , and downloads the report.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusHostDetails", "name": "NessusHostDetails", "description": "Deprecated. Display information about a host within the given scan. The numerical host ID can be retrieved using NessusScanDetails \"hosts\" section", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusLaunchScan", "name": "NessusLaunchScan", "description": "Deprecated. Launch an existing scan.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusListScans", "name": "NessusListScans", "description": "Deprecated. Display the list of folders and scans from Nessus.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusScanDetails", "name": "NessusScanDetails", "description": "Deprecated. Show information about the specified scan.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusScanStatus", "name": "NessusScanStatus", "description": "Deprecated. Retrieve current status for the specified scan.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NessusShowEditorTemplates", "name": "NessusShowEditorTemplates", "description": "Deprecated. Show templates of the scan editor including the UUIDs needed to create a new scan.", "note": "", "maintenance_start": "Oct 01, 2017", "eol_start": "Apr 01, 2018" }, { "id": "NetwitnessSAUpdateIncident", "name": "NetwitnessSAUpdateIncident", "description": "Deprecated. Update information for NetWitness SA incidents.", "note": "", "maintenance_start": "Jul 01, 2017", "eol_start": "Jan 01, 2018" }, { "id": "NexposeCreateIncidentsFromAssets", "name": "NexposeCreateIncidentsFromAssets", "description": "Deprecated. No available replacement.\nCreate incidents based on the Nexpose asset ID and vulnerability ID.\nDuplicate incidents are not created for the same asset ID and vulnerability ID.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "O365SearchEmails", "name": "O365SearchEmails", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "840aa9a7-04b2-4505-8238-8fe85f010dde", "name": "OktaActivateUser", "description": "Deprecated. Activate user", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "da330ce7-3a93-430c-8454-03b96cf5184e", "name": "OktaCreateUser", "description": "Deprecated. Creates a new user with an option of setting password, recovery question & answer. The new user will immediately be able to login after activation with the assigned password. This flow is common when developing a custom user registration experience.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "94f72ed9-49c8-40e5-89bb-7c98f914d2cc", "name": "OktaDeactivateUser", "description": "Deprecated. Deactivate user", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "10cb3486-48f3-4d93-88af-b6be84ffd432", "name": "OktaGetGroups", "description": "Deprecated. Get all user groups", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "a6e348f4-1e40-4365-870c-52139c60779a", "name": "OktaGetUser", "description": "Deprecated. Fetches a specific user when you know the user\u2019s login, please note that one of the parameters bellow is mandatory.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "82764532-0a4f-4b59-8cf9-fe1a00cabdae", "name": "OktaSearch", "description": "Deprecated. Search for Okta users", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "3dd62013-4fed-43eb-8ae4-91b1b4250599", "name": "OktaSetPassword", "description": "Deprecated. Set a new password for user", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "514ec833-c02c-49a3-8ac6-d982198f5fa0", "name": "OktaUpdateUser", "description": "Deprecated. Update user with a given login, all fields are optional, fields which are not set will not be overriden", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "OSQueryLoggedInUsers", "name": "OSQueryLoggedInUsers", "description": "Deprecated. Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.", "note": "Use OSQueryBasicQuery with query='select liu.*, p.name, p.cmdline, p.cwd, p.root from logged_in_users liu, processes p where liu.pid = p.pid;' instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "OSQueryOpenSockets", "name": "OSQueryOpenSockets", "description": "Deprecated. Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.", "note": "Use OSQueryBasicQuery with query='select distinct pid, family, protocol, local_address, local_port, remote_address, remote_port, path from process_open_sockets where path `<>` '' or remote_address `<>` '';' instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "OSQueryProcesses", "name": "OSQueryProcesses", "description": "Deprecated. Use OSQueryBasicQuery with query='select * from processes' instead.", "note": "Use OSQueryBasicQuery with query='select * from processes' instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "OSQueryUsers", "name": "OSQueryUsers", "description": "Deprecated. Use OSQueryBasicQuery with query='select * from users;' instead.", "note": "Use OSQueryBasicQuery with query='select * from users;' instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "PanoramaBlockIP", "name": "PanoramaBlockIP", "description": "Deprecated. Blocks IP with Panorama", "note": "", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "PanoramaCommit", "name": "PanoramaCommit", "description": "Deprecated. Commit configuration to panorama", "note": "", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "PanoramaConfig", "name": "PanoramaConfig", "description": "Deprecated. Set panorama configuration", "note": "", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "PanoramaDynamicAddressGroup", "name": "PanoramaDynamicAddressGroup", "description": "Deprecated. Register/Unregister to address group with Panorama", "note": "", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "PanoramaMove", "name": "PanoramaMove", "description": "Deprecated. Use the \"panorama-move-rule\" command instead.", "note": "Use the \"panorama-move-rule\" command instead.", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "PanoramaPcaps", "name": "PanoramaPcaps", "description": "Deprecated. Use the \"panorama-get-pcap\" command instead.", "note": "Use the \"panorama-get-pcap\" command instead.", "maintenance_start": "Jan 01, 2019", "eol_start": "Jul 01, 2019" }, { "id": "ParseEmailFile", "name": "ParseEmailFile", "description": "Deprecated. Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the \"Label/x\" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook. Requires pip and access to python repository to install \"olefile\" package. This script is deprecated, use ParseEmailFiles.", "note": "", "maintenance_start": "Apr 01, 2019", "eol_start": "Oct 01, 2019" }, { "id": "ParseEmailFiles", "name": "ParseEmailFiles", "description": "Deprecated. Use ParseEmailFilesV2 instead.\" Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the \"Label/x\" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.", "note": "Use ParseEmailFilesV2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "ParseEmailHeader", "name": "ParseEmailHeaders", "description": "Deprecated. use `ParseEmailFiles parse_only_headers=true`. This automation parses headers from an email file.", "note": "", "maintenance_start": "Apr 01, 2019", "eol_start": "Oct 01, 2019" }, { "id": "PCAPMiner", "name": "PCAPMiner", "description": "Deprecated. Use PCAPMinerV2 instead. PCAPMiner is a tool to parse PCAP files and will return things like extracted files that are found, HTTP flows, and a variety of other information. It is uses a docker instance located on docker hub trorabaugh/dempcap:1.0. To use simply upload a PCAP file and then run PCAPMiner entryId=\"\". To get the entry id click on the link on the top right hand corner of a file attachment.", "note": "Use PCAPMinerV2 instead.", "maintenance_start": "Dec 01, 2020", "eol_start": "Jun 01, 2021" }, { "id": "PhishingDedupPreprocessingRule", "name": "PhishingDedupPreprocessingRule", "description": "Deprecated. Use the FindDuplicateEmailIncidents script instead.", "note": "Use the FindDuplicateEmailIncidents script instead.", "maintenance_start": "Jan 01, 2021", "eol_start": "Jul 01, 2021" }, { "id": "ProofpointDecodeURL", "name": "ProofpointDecodeURL", "description": "Deprecated. Use UnEscapeURLs instead. Decode ProofPoint URLs to get the actual URLs.", "note": "Use UnEscapeURLs instead.", "maintenance_start": "Dec 01, 2019", "eol_start": "Jun 01, 2020" }, { "id": "PWEventDetails", "name": "PWEventDetails", "description": "Deprecated. Retrieve details for a specific event from ProtectWise", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWEventPcapDownload", "name": "PWEventPcapDownload", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "PWEventPcapInfo", "name": "PWEventPcapInfo", "description": "Deprecated. Retrieve information about a PCAP related to the specified event.", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWEvents", "name": "PWEvents", "description": "Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWFindEvents", "name": "PWFindEvents", "description": "Deprecated. Retrieve events from ProtectWise. If query does not include a time range - default to the last 24 hrs.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "PWObservationDetails", "name": "PWObservationDetails", "description": "Deprecated. Display details about the specified ProtectWise Observation.", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWObservationPcapDownload", "name": "PWObservationPcapDownload", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "PWObservationPcapInfo", "name": "PWObservationPcapInfo", "description": "Deprecated. Display information about the PCAPs related to the specified ProtectWise Observations.", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWObservations", "name": "PWObservations", "description": "Deprecated. Query for ProtectWise observations. Supports a comma-separated list of sensor IDs - will query each sensor with the given parameters.", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "PWSensors", "name": "PWSensors", "description": "Deprecated. List the available ProtectWise sensors or retrieve information for a specific sensor using its id", "note": "", "maintenance_start": "Sep 01, 2017", "eol_start": "Mar 01, 2018" }, { "id": "QRadarClassifier", "name": "QRadarClassifier", "description": "Deprecated. No available replacement. This script Classifies QRadar incidents.\\nThe 'QRADAR_CATEGORIES' dictionary translate QRadar 'High level Categories' to its 'Demisto Types' counterpart.\\n\\nFor custom categories, use the 'customCategories' argument.\\nThe offense high level category will be put to context.", "note": "No available replacement.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "QRadarFullSearch", "name": "QRadarFullSearch", "description": "Deprecated. No available replacement. This Script runs a QRadar query and return its results to the war-room.", "note": "No available replacement.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "QRadarGetCorrelationLogs", "name": "QRadarGetCorrelationLogs", "description": "Deprecated. Use the **QRadarCorrelationLog** playbook instead. Return the QRadar Correlation logs if exist", "note": "Use the **QRadarCorrelationLog** playbook instead.", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "QRadarGetOffenseCorrelations", "name": "QRadarGetOffenseCorrelations", "description": "Deprecated. Use the QradarGetOffenseCorrlations_v2 Playbook instead. Return the QRadar offense correlations if exist in logs.", "note": "Use the QradarGetOffenseCorrlations_v2 Playbook instead.", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "QrFullSearch", "name": "QrFullSearch", "description": "Deprecated. Full search through QRadar advance query languages", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "QrGetSearch", "name": "QrGetSearch", "description": "Deprecated. Gets a specific search id", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "QrGetSearchResults", "name": "QrGetSearchResults", "description": "Deprecated. Gets search results", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "QrOffenses", "name": "QrOffenses", "description": "Deprecated. Gets offenses from qradar", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "QrSearches", "name": "QrSearches", "description": "Deprecated. Searches in QRadar", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "RapidBreachResponseParseBlog", "name": "RapidBreachResponseParseBlog", "description": "Deprecated. Use \"ParseHTMLIndicators\" instead. Parse Volexity request blog.", "note": "Use \"ParseHTMLIndicators\" instead.", "maintenance_start": "Aug 01, 2021", "eol_start": "Feb 01, 2022" }, { "id": "ReadPDFFile", "name": "ReadPDFFile", "description": "Deprecated. Load the contents and metadata of a PDF file into context.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "RecordedFutureDomainRiskList", "name": "RecordedFutureDomainRiskList", "description": "Deprecated. Use Recorded Future v2 instead.", "note": "Use Recorded Future v2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "RecordedFutureHashRiskList", "name": "RecordedFutureHashRiskList", "description": "Deprecated. Use Recorded Future v2 instead.", "note": "Use Recorded Future v2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "RecordedFutureIPRiskList", "name": "RecordedFutureIPRiskList", "description": "Deprecated. Use Recorded Future v2 instead.", "note": "Use Recorded Future v2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "RecordedFutureURLRiskList", "name": "RecordedFutureURLRiskList", "description": "Deprecated. Use Recorded Future v2 instead.", "note": "Use Recorded Future v2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "RecordedFutureVulnerabilityRiskList", "name": "RecordedFutureVulnerabilityRiskList", "description": "Deprecated. Use Recorded Future v2 instead.", "note": "Use Recorded Future v2 instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "RegCollectValues", "name": "RegCollectValues", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "RegPathReputationBasicLists", "name": "RegPathReputationBasicLists", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "RegProbeBasic", "name": "RegProbeBasic", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "RSAArcherManualFetch", "name": "RSAArcherManualFetch", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "RunSqlQuery", "name": "RunSqlQuery", "description": "Deprecated. Query a relational DB using SQL", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SandboxDetonateFile", "name": "SandboxDetonateFile", "description": "Deprecated. This script is deprecated. Use the available generic file detonation playbooks instead.", "note": "Use the available generic file detonation playbooks instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "SaneDocReports", "name": "SaneDocReports", "description": "Parse Sane-json-reports and export them as docx files (used internally).", "note": "", "maintenance_start": "Mar 01, 2020", "eol_start": "Sep 01, 2020" }, { "id": "SbDownload", "name": "SbDownload", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "SbQuery", "name": "SbQuery", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "SbQuota", "name": "SbQuota", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "SbUpload", "name": "SbUpload", "description": "Deprecated. Use Check Point Threat Emulation (SandBlast) instead. Query, upload and download data using Check Point Sandblast on cloud.", "note": "Use Check Point Threat Emulation (SandBlast) instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "SearchCases", "name": "SearchCases", "description": "Retrieves cases based on the provided filters.", "note": "", "maintenance_start": "Jan 01, 2026", "eol_start": "Jul 01, 2026" }, { "id": "SearchIncidents", "name": "SearchIncidents", "description": "Deprecated. use SearchIncidentsV2 instead.", "note": "Use SearchIncidentsV2 instead.", "maintenance_start": "Mar 01, 2020", "eol_start": "Sep 01, 2020" }, { "id": "SendEmail", "name": "SendEmail", "description": "Deprecated. please use the send-mail command instead Send an email with the specified parameters. Attachments are provided as a comma-separated list of entry IDs. Example usage - !SendEmail subject=\"File from war room\" body=\"Please see the attached file. --DBot\" to=jane@acme.com cc=john@acme.com attachIDs=89@3,46@3", "note": "Please use the send-mail command instead Send an email with the specified parameters.", "maintenance_start": "Jun 01, 2019", "eol_start": "Dec 01, 2019" }, { "id": "2aa9f737-8c7c-42f5-815f-4d104bb3af06", "name": "SEPScan", "description": "Deprecated. Scans ip/hostname with Symantec Endpoint Protection. DEPRECATED - this automation is deprecated as it was replaced by `sep-scan-endpoint` command in 'Symantec Endpoint Protection V2' integration.", "note": "", "maintenance_start": "Feb 01, 2019", "eol_start": "Aug 01, 2019" }, { "id": "SetIncidentCustomFields", "name": "SetIncidentCustomFields", "description": "Deprecated. Sets current incident custom fields. (Deprecated. Use the setIncident command to set incident custom fields.)", "note": "", "maintenance_start": "Feb 01, 2019", "eol_start": "Aug 01, 2019" }, { "id": "SetSeverityByScore", "name": "SetSeverityByScore", "description": "Deprecated. Calculate a weighted score based on number of malicious indicators involved in the incident. Each indicator type can have a different weight. Finally if score exceeds certain thresholds, increase incident severity. Thresholds can also be overriden by providing them in arguments.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "SlackAskUser", "name": "SlackAskUser", "description": "Deprecated. Use the SlackAsk script instead.", "note": "Use the SlackAsk script instead.", "maintenance_start": "Sep 01, 2019", "eol_start": "Mar 01, 2020" }, { "id": "SlackMirror", "name": "SlackMirror", "description": "Deprecated. Mirror an incident to a Slack private channel. You can chose what to mirror with the type argument. A Slack private channel will be created and the incident team invited. Messages on Slack will be reflected in the war room and vice versa.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SlackSend", "name": "SlackSend", "description": "Deprecated. Send messages to Slack teams", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SNListTickets", "name": "SNListTickets", "description": "Deprecated. List tickets from ServiceNow", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SnmpDetection", "name": "SnmpDetection", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "May 01, 2025", "eol_start": "Nov 01, 2025" }, { "id": "SNOpenTicket", "name": "SNOpenTicket", "description": "Deprecated. Create a ServiceNow ticket.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SNUpdateTicket", "name": "SNUpdateTicket", "description": "Deprecated. Update a ServiceNow ticket.", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "SplunkEmailParser", "name": "SplunkEmailParser", "description": "Deprecated. Classify an incident created from an email originating from Splunk.\\nThe mail type should be in plain text, and inline - table should be selected.\\nParsing is done in the following manner -\\ntype is the header sourcetype, severity is the mail importance level, \\nthe incident name is the mail subject and the systems are taken from host.", "note": "", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "SplunkPySearch", "name": "SplunkPySearch", "description": "Deprecated. No available replacement. Run a query through Splunk and format the results as a table.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "SplunkSearch", "name": "SplunkSearch", "description": "Deprecated. Run a query through Splunk and format the results as a table", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "SplunkSearchJsonPy", "name": "SplunkSearchJsonPy", "description": "Deprecated. Run a query through Splunk and format the results as a markdown with raw data parsed as JSON", "note": "", "maintenance_start": "Jun 01, 2017", "eol_start": "Dec 01, 2017" }, { "id": "TaniumApprovePendingActions", "name": "TaniumApprovePendingActions", "description": "Deprecated. Approve all pending actions using the specified package names.", "note": "", "maintenance_start": "Dec 01, 2017", "eol_start": "Jun 01, 2018" }, { "id": "TaniumAskQuestion", "name": "TaniumAskQuestion", "description": "Deprecated. Send a request for a formatted result of a\u00a0saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information", "note": "", "maintenance_start": "Dec 01, 2017", "eol_start": "Jun 01, 2018" }, { "id": "TaniumAskQuestionComplex", "name": "TaniumAskQuestionComplex", "description": "Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "TaniumDeployAction", "name": "TaniumDeployAction", "description": "Deprecated. Execute an action, optionally with parameters, and filtering - based on an existing package. See https://kb.tanium.com/SOAP for more information", "note": "", "maintenance_start": "Dec 01, 2017", "eol_start": "Jun 01, 2018" }, { "id": "TaniumFilterComputersByIndexQueryFileDetails", "name": "TaniumFilterComputersByIndexQueryFileDetails", "description": "Deprecated. Use tn-ask-question instead.", "note": "Use tn-ask-question instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "TaniumFindRunningProcesses", "name": "TaniumFindRunningProcesses", "description": "Deprecated. TaniumAskQuestionComplex - same as the AskQuestion command with additional filtering prepared by the script (an XML subsection added to the request).", "note": "", "maintenance_start": "Dec 01, 2017", "eol_start": "Jun 01, 2018" }, { "id": "TaniumShowPendingActions", "name": "TaniumShowPendingActions", "description": "Deprecated. Send a request for a formatted result of a\u00a0saved question. To receive the most up to date data, run the same command twice. See https://kb.tanium.com/SOAP for more information", "note": "", "maintenance_start": "Dec 01, 2017", "eol_start": "Jun 01, 2018" }, { "id": "TrendmicroAlertStatus", "name": "TrendmicroAlertStatus", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroAntiMalwareEventRetrieve", "name": "TrendmicroAntiMalwareEventRetrieve", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendMicroClassifier", "name": "TrendMicroClassifier", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendMicroGetHostID", "name": "TrendMicroGetHostID", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendMicroGetPolicyID", "name": "TrendMicroGetPolicyID", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroHostAntimalwareScan", "name": "TrendmicroHostAntimalwareScan", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroHostRetrieveAll", "name": "TrendmicroHostRetrieveAll", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroSecurityProfileAssignToHost", "name": "TrendmicroSecurityProfileAssignToHost", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroSecurityProfileRetrieveAll", "name": "TrendmicroSecurityProfileRetrieveAll", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TrendmicroSystemEventRetrieve", "name": "TrendmicroSystemEventRetrieve", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "TriagePhishing", "name": "TriagePhishing", "description": "Deprecated. Process a suspected email and check URLs, attachments and sender via reputation services", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "UnPackFile", "name": "UnPackFile", "description": "Deprecated. Use the UnzipFile script instead. UnPack a file using fileName or entryID to specify a file. Files unpacked will be pushed to the war room and names will be pushed to the context.\nsupported types are:\n7z (.7z), ACE (.ace), ALZIP (.alz), AR (.a), ARC (.arc), ARJ (.arj), BZIP2 (.bz2), CAB (.cab), compress (.Z), CPIO (.cpio), DEB (.deb), DMS (.dms), GZIP (.gz), LRZIP (.lrz), LZH (.lha, .lzh), LZIP (.lz), LZMA (.lzma), LZOP (.lzo), RPM (.rpm), RAR (.rar), RZIP (.rz), TAR (.tar), XZ (.xz), ZIP (.zip, .jar) and ZOO (.zoo)", "note": "Use the UnzipFile script instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "URLExtract", "name": "URLExtract", "description": "Deprecated. Extract URLs from the given text and place them both as output and in the context of a playbook", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "UserEnrichAD", "name": "UserEnrichAD", "description": "Deprecated. Use ADGetUser instead.", "note": "Use ADGetUser instead.", "maintenance_start": "Oct 01, 2022", "eol_start": "Apr 01, 2023" }, { "id": "VectraClassifier", "name": "VectraClassifier", "description": "Deprecated. Classifying Vectra incidents", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "VectraDetections", "name": "VectraDetections", "description": "Deprecated. Detection objects contain all the information related to security events detected on the network", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraGetDetetctionsById", "name": "VectraGetDetetctionsById", "description": "Deprecated. Get detections by host id", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraGetHostById", "name": "VectraGetHostById", "description": "Deprecated. Get host by id", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraHealth", "name": "VectraHealth", "description": "Deprecated. The health configuration can be used to retrieve system health statistics such as subnet counts, traffic bandwidth, headend and sensor information", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraHosts", "name": "VectraHosts", "description": "Deprecated. Host information includes data that correlates the host data to detected security events", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraSensors", "name": "VectraSensors", "description": "Deprecated. The sensors branch can retrieve a listing of sensors that collect and feed data to the X-series", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraSettings", "name": "VectraSettings", "description": "Deprecated. The settings information includes S-series sensor and X-series configurations input by the administrator", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "VectraSummary", "name": "VectraSummary", "description": "Deprecated. Summarize a Vectra incident (after incident was put into context)\\nThe script extract malicious ip's and hashes if exists", "note": "", "maintenance_start": "Nov 01, 2017", "eol_start": "May 01, 2018" }, { "id": "VectraTriage", "name": "VectraTriage", "description": "Deprecated. The rules branch can be used to retrieve a listing of configured Triage rules.", "note": "", "maintenance_start": "Jun 01, 2020", "eol_start": "Dec 01, 2020" }, { "id": "dbbdc2e4-6105-4ee9-8e83-563a4b991a89", "name": "VirustotalIsMalicious", "description": "Deprecated. Query Virustotal with a file hash", "note": "", "maintenance_start": "Feb 01, 2018", "eol_start": "Aug 01, 2018" }, { "id": "7b02fa0f-94ff-48c7-8350-b4e353702e73", "name": "VMRay", "description": "Deprecated. use \"Detonate File - VMRay playbook instead\"", "note": "", "maintenance_start": "Jun 01, 2019", "eol_start": "Dec 01, 2019" }, { "id": "9364c36f-b1d6-4233-88c2-75008b106c31", "name": "vmray_getResults", "description": "Deprecated. use \"Detonate File - VMRay playbook instead\"", "note": "", "maintenance_start": "Jun 01, 2019", "eol_start": "Dec 01, 2019" }, { "id": "Volatility", "name": "Volatility", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "f99a85a6-c572-4c3a-8afd-5b4ac539000a", "name": "WhileNotExistLoop", "description": "Deprecated. While loop is utility script, to do while loops on specific commands or scripts, it will allow you to loop over until ${keyToWatch} field is in the context. Please make sure timeout of the script also sufficient for the loop.", "note": "", "maintenance_start": "Oct 01, 2018", "eol_start": "Apr 01, 2019" }, { "id": "7b5c080e-f3b1-411a-83b0-e1f53c21bef8", "name": "WhileNotMdLoop", "description": "Deprecated. While not MD loop is utility script, to do while loops on specific commands, it will allow you to loop over until some condition is fulfilled (Contents (MD) != value). Please make sure timeout of the script also sufficient for the loop.", "note": "", "maintenance_start": "Oct 01, 2018", "eol_start": "Apr 01, 2019" }, { "id": "80b5c44c-4eac-4e00-812f-6d409d57be31", "name": "WhoisLookup", "description": "Deprecated. Do WHOIS lookup on multiple domains", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "WhoisSummary", "name": "WhoisSummary", "description": "Deprecated. A simple script that outputs a shorter summary of the !whois command output", "note": "", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "WildfireReport", "name": "WildfireReport", "description": "Deprecated. Use the \"wildfire-report\" command instead.", "note": "Use the \"wildfire-report\" command instead.", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "WildfireUpload", "name": "WildfireUpload", "description": "Deprecated. Use the \"wildfire-upload\" command instead.", "note": "Use the \"wildfire-upload\" command instead.", "maintenance_start": "May 01, 2017", "eol_start": "Nov 01, 2017" }, { "id": "WordTokenizer", "name": "WordTokenizer", "description": "Deprecated. Use DBotPreProcessTextData instead.", "note": "Use DBotPreProcessTextData instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "WordTokenizerNLP", "name": "WordTokenizerNLP", "description": "Deprecated. Use DBotPreProcessTextData instead.", "note": "Use DBotPreProcessTextData instead.", "maintenance_start": "Nov 01, 2021", "eol_start": "May 01, 2022" }, { "id": "XBInfo", "name": "XBInfo", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XBLockouts", "name": "XBLockouts", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XBNotable", "name": "XBNotable", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XBTimeline", "name": "XBTimeline", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XBTriggeredRules", "name": "XBTriggeredRules", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XBUser", "name": "XBUser", "description": "Deprecated. This script is deprecated. Use the Exabeam integration instead.", "note": "Use the Exabeam integration instead.", "maintenance_start": "Jul 01, 2020", "eol_start": "Jan 01, 2021" }, { "id": "XDRSyncScript", "name": "XDRSyncScript", "description": "Deprecated. No available replacement. Syncs a single incident between Demisto and XDR. This script always uses the xdr-get-incident-extra-data command and outputs to the context the entire incident JSON. When the incident is updated in XDR, the Demisto incident will be updated accordingly and the default playbook will rerun. When an incident is updated in Demisto, the script will execute the xdr-update-incident command and update the incident in XDR.", "note": "No available replacement.", "maintenance_start": "Oct 01, 2020", "eol_start": "Apr 01, 2021" } ], "playbooks": [ { "id": "Access Investigation - QRadar", "name": "Access Investigation - QRadar", "description": "Deprecated. No available replacement. This playbook uses the QRadar integration to investigate an access incident by gathering user and IP information.\n\nThe playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.", "note": "No available replacement.", "maintenance_start": "Apr 01, 2025", "eol_start": "Oct 01, 2025" }, { "id": "Account Enrichment", "name": "Account Enrichment", "description": "Deprecated. Use the \"Account Enrichment - Generic v2.1\" playbook instead.\\ \\ Enrich the accounts under the Account context key with details from relevant integrations such as AD.", "note": "Use the \"Account Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Account Enrichment - Generic", "name": "Account Enrichment - Generic", "description": "Deprecated. Use \"Account Enrichment - Generic v2.1\" playbook instead.\\ \\ Enrich Accounts using one or more integrations", "note": "Use \"Account Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Account Enrichment - Generic v2", "name": "Account Enrichment - Generic v2", "description": "Deprecated. Use \"Account Enrichment - Generic v2.1\" playbook instead.\\ \\ Enrich accounts using one or more integrations. Supported integrations - - Active Directory", "note": "Use \"Account Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Add Indicator to Miner - Palo Alto MineMeld", "name": "Add Indicator to Miner - Palo Alto MineMeld", "description": "Deprecated. Add indicators to the relevant Miner using MineMeld.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Archer initiate incident", "name": "Archer initiate incident", "description": "Deprecated. Use the `archer-get-file` command directly instead. initiate Archer incident", "note": "Use the `archer-get-file` command directly instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Autofocus - File Indicators Hunting", "name": "Autofocus - File Indicators Hunting", "description": "Deprecated. No available replacement. The playbook queries the PANW Autofocus session and samples log data for file indicators such as MD5, SHA256, and SHA1 hashes. \n\nA simple search mode is used to query Autofocus based on the file indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. \nWe recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. \n\nNote that multiple search values should be separated by commas only (without spaces or any special characters).", "note": "No available replacement.", "maintenance_start": "Nov 01, 2025", "eol_start": "May 01, 2026" }, { "id": "Autofocus - Hunting And Threat Detection", "name": "Autofocus - Hunting And Threat Detection", "description": "Deprecated. No available replacement. The playbook queries the PANW Autofocus session and samples log data for file and traffic indicators, such as SHA256, SHA1, MD5, IP addresses, URLs, and domains. \n\nA simple search mode queries Autofocus based on the indicators specified in the playbook inputs. Advanced queries can also use with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. \nWe recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. \n\nNote that multiple search values should be separated by commas only (without spaces or any special characters).", "note": "No available replacement.", "maintenance_start": "Nov 01, 2025", "eol_start": "May 01, 2026" }, { "id": "Autofocus - Traffic Indicators Hunting", "name": "Autofocus - Traffic Indicators Hunting", "description": "Deprecated. No available replacement. The playbook queries the PANW Autofocus session and samples log data for traffic indicators such as URLs, IP addresses, and domains. \n\nA simple search mode queries Autofocus based on the traffic indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified. \nWe recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs. \n\nNote that multiple search values should be separated by commas only (without spaces or any special characters).", "note": "No available replacement.", "maintenance_start": "Nov 01, 2025", "eol_start": "May 01, 2026" }, { "id": "Autofocus Query Samples, Sessions and Tags", "name": "Autofocus Query Samples, Sessions and Tags", "description": "Deprecated. No available replacement. This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input.\n\nThe playbook supports searching both the Samples API and the sessions API.", "note": "No available replacement.", "maintenance_start": "Nov 01, 2025", "eol_start": "May 01, 2026" }, { "id": "AWS IAM User Access Investigation", "name": "AWS IAM User Access Investigation", "description": "Deprecated. Use `Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. \nThe following alerts are supported for AWS environments.\n- Penetration testing tool attempt\n- Penetration testing tool activity\n- Suspicious API call from a Tor exit node\n This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.\n", "note": "Use `Cloud IAM User Access Investigation` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "AWS IAM User Access Investigation - Remediation", "name": "AWS IAM User Access Investigation - Remediation", "description": "Deprecated. Use `Cloud IAM User Access Investigation` instead. Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. \nThe following alerts are supported for AWS environments.\n- Penetration testing tool attempt\n- Penetration testing tool activity\n- Suspicious API call from a Tor exit node\n This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.\n", "note": "Use `Cloud IAM User Access Investigation` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Azure Configuration Analysis", "name": "Azure Configuration Analysis", "description": "Deprecated. Use 'Office 365 and Azure Configuration Analysis' instead. This playbook helps you collect, review, and find misconfigurations with the Azure environment.", "note": "Use 'Office 365 and Azure Configuration Analysis' instead.", "maintenance_start": "Sep 01, 2021", "eol_start": "Mar 01, 2022" }, { "id": "Azure Hunting playbook", "name": "Azure Hunting playbook", "description": "Deprecated. Use 'Office 365 and Azure Hunting' instead. This playbook enables you to collect and investigate suspicious security events from Azure AD environment.", "note": "Use 'Office 365 and Azure Hunting' instead.", "maintenance_start": "Sep 01, 2021", "eol_start": "Mar 01, 2022" }, { "id": "Azure-DevOps-Pipeline-Run", "name": "Azure-DevOps-Pipeline-Run", "description": "Deprecated. Use azure-devops-pipeline-run command instead.", "note": "Use azure-devops-pipeline-run command instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Block Account - Generic", "name": "Block Account - Generic", "description": "Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled.\n\nSupported integrations for this playbook:\n* Active Directory\n* PAN-OS - This requires PAN-OS 9.1 or higher.", "note": "Use 'Block Account - Generic v2' instead.", "maintenance_start": "May 01, 2025", "eol_start": "Nov 01, 2025" }, { "id": "Block Domain - Generic", "name": "Block Domain - Generic", "description": "Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled.\n\nSupported integrations for this playbook:\n* Zscaler\n* Symantec Messaging Gateway\n* FireEye EX\n* Trend Micro Apex One\n* Proofpoint Threat Response", "note": "Use 'Block Domain - Generic v2' instead.", "maintenance_start": "Nov 01, 2023", "eol_start": "May 01, 2024" }, { "id": "Block Email - Generic", "name": "Block Email - Generic", "description": "Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration.", "note": "Use 'Block Email - Generic v2' instead.", "maintenance_start": "May 01, 2025", "eol_start": "Nov 01, 2025" }, { "id": "Block Endpoint - Carbon Black Response", "name": "Block Endpoint - Carbon Black Response", "description": "Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolate an endpoint, given a hostname.", "note": "Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Block Endpoint - Carbon Black Response V2", "name": "Block Endpoint - Carbon Black Response V2", "description": "Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolates an endpoint for a given hostname.", "note": "Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Block File - Generic", "name": "Block File - Generic", "description": "Deprecated. Use \"Block File - Generic v2\" playbook instead. A generic playbook for blocking files from running on endpoints. This playbook currently supports Carbon Black Enterprise Response.", "note": "Use \"Block File - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Block Indicators - Generic", "name": "Block Indicators - Generic", "description": "Deprecated. We recommend using the 'Block Indicators - Generic v2' playbook instead.\nThis playbook blocks malicious indicators using all integrations that are enabled.\n\nSupported integrations for this playbook:\n* Active Directory\n* Check Point Firewall\n* Palo Alto Networks Minemeld\n* Palo Alto Networks Panorama\n* Zscaler\n* Carbon Black Enterprise Response\n", "note": "We recommend using the 'Block Indicators - Generic v2' playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Block Indicators - Generic v2", "name": "Block Indicators - Generic v2", "description": "Deprecated. Use the `Block Indicators - Generic V3` playbook instead.\nThis playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:\n\n- Block URL - Generic\n- Block Account - Generic\n- Block IP - Generic v2\n- Block File - Generic v2\n- Block Email - Generic\n- Block Domain - Generic\n\n", "note": "Use the `Block Indicators - Generic V3` playbook instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "Block IOCs from CSV - External Dynamic List", "name": "Block IOCs from CSV - External Dynamic List", "description": "Deprecated. Use Generic Export Indicators Service instead.", "note": "Use Generic Export Indicators Service instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Block IP - Generic", "name": "Block IP - Generic", "description": "Deprecated. Use \"Block IP - Generic v2\" playbook instead. This playbook blocks malicious IPs using all integrations that you have enabled.\n\nSupported integrations for this playbook:\n* Check Point Firewall\n* Palo Alto Networks Minemeld\n* Palo Alto Networks Panorama\n* Zscaler", "note": "Use \"Block IP - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Block IP - Generic v2", "name": "Block IP - Generic v2", "description": "Deprecated. Use the `Block IP - Generic v3` playbook instead. \nThis playbook blocks malicious IPs using all integrations that are enabled.\n\nSupported integrations for this playbook:\n* Check Point Firewall\n* Palo Alto Networks Minemeld\n* Palo Alto Networks PAN-OS\n* Zscaler\n* FortiGate", "note": "Use the `Block IP - Generic v3` playbook instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Block URL - Generic", "name": "Block URL - Generic", "description": "Deprecated. Use 'Block URL - Generic v2' instead.", "note": "Use 'Block URL - Generic v2' instead.", "maintenance_start": "May 01, 2025", "eol_start": "Nov 01, 2025" }, { "id": "Calculate Severity - Critical assets", "name": "Calculate Severity - Critical assets", "description": "Deprecated. Use Calculate Severity - Critical Assets v2 playbook instead. Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of \\\"Critical\\\" if a critical asset is associated with the investigation.\\n\\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group.", "note": "Use Calculate Severity - Critical Assets v2 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Calculate Severity - Generic", "name": "Calculate Severity - Generic", "description": "Deprecated. Use \"Calculate Severity - Generic v2\" playbook instead. Calculates and assign the incident severity based on the highest returned severity level from the following severity calculations:\n\n* Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.\n* Critical assets - Determines if a critical assest is associated with the invesigation.\n* 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.\n\nNOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.", "note": "Use \"Calculate Severity - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Carbon Black EDR Search Process", "name": "Carbon Black EDR Search Process", "description": "Deprecated. Use 'cb-eedr-process-search' command instead.\nThis playbook implements polling by continuously running the `cb-eedr-process-search-results` command\nuntil the operation completes.", "note": "Use 'cb-eedr-process-search' command instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Carbon Black Rapid IOC Hunting", "name": "Carbon Black Rapid IOC Hunting", "description": "Deprecated. Use \"Search Endpoints By Hash - Carbon Black Response V2\" playbook instead. Hunt for malicious indicators using Carbon Black", "note": "Use \"Search Endpoints By Hash - Carbon Black Response V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Check WebEx Feed", "name": "Check WebEx Feed", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Checkpoint Firewall Configuration Backup Playbook", "name": "Checkpoint Firewall Configuration Backup Playbook", "description": "Deprecated. Triggers a backup task on each firewall appliance and pulls the resulting file into the war room via SCP.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Comprehensive PAN-OS Best Practice Assessment (Deprecated)", "name": "Comprehensive PAN-OS Best Practice Assessment", "description": "Deprecated. Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "note": "Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Cortex ASM - CMDB Enrichment", "name": "Cortex ASM - CMDB Enrichment", "description": "Deprecated. No available replacement. This playbook will look up a CI in ServiceNow CMDB by IP.", "note": "No available replacement.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Cortex ASM - Decision", "name": "Cortex ASM - Decision", "description": "Deprecated. No available replacement. This playbook returns \"RemediationAction\" options based on meeting \"Automated Remediation Requirements\" (https://github.com/demisto/content/tree/master/Packs/CortexAttackSurfaceManagement#automated-remediation-requirements) as well as whether ServiceNowV2 integration is set up. Possible return values are:\n- Prompt base - data collection task with only email/manual options.\n- Prompt all options - data collection task with all options (meets Automated Remediation requirements and ServiceNow is enabled).\n- Prompt no snow - all options except ServiceNow (Automated Remediation requirements are met).\n- Prompt no ar - all options except Automated Remediation (ServiceNow is enabled).", "note": "No available replacement.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "Cortex ASM - Extract IP Indicator", "name": "Cortex ASM - Extract IP Indicator", "description": "Deprecated. No available replacement. Identifies IPv4 Address associated with Alert and creates a new Indicator.", "note": "No available replacement.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Cortex ASM - SNMP Check", "name": "Cortex ASM - SNMP Check", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Cortex ASM - Vulnerability Management Enrichment", "name": "Cortex ASM - Vulnerability Management Enrichment", "description": "Deprecated. No available replacement. This playbook will look up an IP address in Tenable.io or Rapid7 InsightVM.", "note": "No available replacement.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Cortex EM - Remediation", "name": "Cortex EM - Remediation", "description": "Deprecated. Use Cortex EM - AWS VM Exposure Remediation instead.", "note": "Use Cortex EM - AWS VM Exposure Remediation instead.", "maintenance_start": "Jun 01, 2026", "eol_start": "Dec 01, 2026" }, { "id": "Cortex XDR - AWS IAM user access investigation", "name": "Cortex XDR - AWS IAM user access investigation", "description": "Deprecated. Use `Cortex XDR - Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. \nThe following alerts are supported for AWS environments.\n- Penetration testing tool attempt\n- Penetration testing tool activity\n- Suspicious API call from a Tor exit node\n This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve.\n", "note": "Use `Cortex XDR - Cloud IAM User Access Investigation` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Cortex XDR - check file existence", "name": "Cortex XDR - check file existence", "description": "Deprecated. Use `xdr-file-exist-script-execute` command instead. Initiates a new endpoint script execution to check if the file exists and retrieve the results.\n", "note": "Use `xdr-file-exist-script-execute` command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - delete file", "name": "Cortex XDR - delete file", "description": "Deprecated. Use the `xdr-file-delete-script-execute` command instead. Initiates a new endpoint script execution to delete the specified file and retrieve the results.", "note": "Use the `xdr-file-delete-script-execute` command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - Execute commands", "name": "Cortex XDR - Execute commands", "description": "Deprecated. Use the `xdr-script-commands-execute` command instead. Initiates a new script execution of shell commands.", "note": "Use the `xdr-script-commands-execute` command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - Execute snippet code script", "name": "Cortex XDR - Execute snippet code script", "description": "Deprecated. Use the `xdr-snippet-code-script-execute` command instead. Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results.", "note": "Use the `xdr-snippet-code-script-execute` command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - First SSO Access", "name": "Cortex XDR - First SSO Access", "description": "Deprecated. Use `Cortex XDR - Identity Analytics` instead.\nInvestigates a Cortex XDR incident containing First SSO access from ASN in organization\n or First successful SSO connection from a country in organization.\n\nThe playbook executes the following:\n- IP and User Enrichment.\n- User Investigation - Using 'User Investigation - Generic' sub-playbook.\n- Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook.\n- Response based on the verdict.\n\nThe playbook is used as a sub-playbook in \u2018Cortex XDR Incident Handling - v3\u2019.", "note": "Use `Cortex XDR - Identity Analytics` instead.", "maintenance_start": "Apr 01, 2024", "eol_start": "Oct 01, 2024" }, { "id": "Cortex XDR - First SSO Access - Set Verdict", "name": "Cortex XDR - First SSO Access - Set Verdict", "description": "Deprecated. Use `Cortex XDR - Identity Analytics` instead.\nThis playbook determines the alert\u2019s verdict based on the results of multiple checks.\nBy default, if at least two of the checks' results are true, the verdict is set to malicious.\nelse if only one check's results are true, the verdict is set to suspicious.\nIf none of the conditions is true, the verdict is set to non-malicious.\nIt is possible to change the threshold value of the inputs to change the sensitivity of the verdict.", "note": "Use `Cortex XDR - Identity Analytics` instead.", "maintenance_start": "Apr 01, 2024", "eol_start": "Oct 01, 2024" }, { "id": "Cortex XDR - kill process", "name": "Cortex XDR - kill process", "description": "Deprecated. Use the `xdr-kill-process-script-execute` command instead. Initiates a new endpoint script execution kill process and retrieves the results.", "note": "Use the `xdr-kill-process-script-execute` command instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - Port Scan", "name": "Cortex XDR - Port Scan", "description": "Deprecated. Use the Cortex XDR - Port Scan - Adjusted playbook instead.\nInvestigates a Cortex XDR incident containing internal port scan alerts. The playbook:\n- Syncs data with Cortex XDR\n- Enriches the hostname and IP address of the attacking endpoint\n- Notifies management about host compromise\n- Escalates the incident in case of lateral movement alert detection\n- Hunts malware associated with the alerts across the organization\n- Blocks detected malware associated with the incident\n- Blocks IPs associated with the malware\n- Isolates the attacking endpoint\n- Allows manual blocking of ports that were used for host login following the port scan", "note": "Use the Cortex XDR - Port Scan - Adjusted playbook instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Cortex XDR - quarantine file", "name": "Cortex XDR - quarantine file", "description": "Deprecated. Use Cortex XDR - quarantine file v2 instead.", "note": "Use Cortex XDR - quarantine file v2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Cortex XDR - Retrieve File Playbook", "name": "Cortex XDR - Retrieve File Playbook", "description": "Deprecated. Use Cortex XDR - Retrieve File Playbook v2 instead.", "note": "Use Cortex XDR - Retrieve File Playbook v2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Cortex XDR - Run script", "name": "Cortex XDR - Run script", "description": "Deprecated. Use the `xdr-script-run` command instead. Initiates a new endpoint script execution action using a provided script unique id from Cortex XDR script library.", "note": "Use the `xdr-script-run` command instead.", "maintenance_start": "Jan 01, 2025", "eol_start": "Jul 01, 2025" }, { "id": "Cortex XDR Alerts Handling", "name": "Cortex XDR Alerts Handling", "description": "Deprecated. Use Cortex XDR - Alerts Handling v2 instead. When using the v2 version, enabling globally shared context for that playbook is required because outputs are no longer declared.", "note": "Use Cortex XDR - Alerts Handling v2 instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Cortex XDR Incident Handling", "name": "Cortex XDR Incident Handling", "description": "Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. \nThe playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.\n\n*** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.\nFor Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.", "note": "Use `Cortex XDR incident handling v3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Cortex XDR incident handling v2", "name": "Cortex XDR incident handling v2", "description": "Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.\nThe playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type.\nThen, the playbook performs enrichment on the incident's indicators and hunting for related IOCs.\nBased on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. \nAfter the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.", "note": "Use `Cortex XDR incident handling v3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Cortex XDR Incident Sync", "name": "Cortex XDR Incident Sync", "description": "Deprecated. No available replacement. Compares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "CrowdStrike Endpoint Enrichment", "name": "CrowdStrike Endpoint Enrichment", "description": "Deprecated. Use CrowdStrike Falcon instead.", "note": "Use CrowdStrike Falcon instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "CrowdStrike Falcon Sandbox - Detonate file", "name": "CrowdStrike Falcon Sandbox - Detonate file", "description": "Deprecated. Use the cs-falcon-sandbox-submit-file command with polling=true instead.", "note": "Use the cs-falcon-sandbox-submit-file command with polling=true instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "CrowdStrike Rapid IOC Hunting", "name": "CrowdStrike Rapid IOC Hunting", "description": "Deprecated. Use \"CrowdStrike Rapid IOC Hunting v2\" playbook instead. Hunt for endpoint activity involving hash and domain IOCs, using Crowdstrike Falcon Host.\\nAlso use AnalystEmail label to determine where to send an email alert if something is found.", "note": "Use \"CrowdStrike Rapid IOC Hunting v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "CrowdStrike Rapid IOC Hunting v2", "name": "CrowdStrike Rapid IOC Hunting v2", "description": "Deprecated. Use CrowdStrike Falcon instead.", "note": "Use CrowdStrike Falcon instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "CVE Enrichment - Generic", "name": "CVE Enrichment - Generic", "description": "Deprecated. Use \"CVE Enrichment - Generic v2\" playbook instead. Enrich CVE using one or more integrations.", "note": "Use \"CVE Enrichment - Generic v2\" playbook instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "DBot Create Phishing Classifier", "name": "DBot Create Phishing Classifier", "description": "Deprecated. Use \"DBot Create Phishing Classifier V2\" playbook instead. Create a phishing classifier using machine learning technique, based on email content", "note": "Use \"DBot Create Phishing Classifier V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "DBot Create Phishing Classifier Job", "name": "DBot Create Phishing Classifier Job", "description": "Deprecated. Use \"DBot Create Phishing Classifier V2\" playbook instead. Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.", "note": "Use \"DBot Create Phishing Classifier V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Dedup - Generic", "name": "Dedup - Generic", "description": "Deprecated. Use \"Dedup - Generic v2\" playbook instead. This playbook identifies duplicate incidents using one of the supported methods.", "note": "Use \"Dedup - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Dedup - Generic v2", "name": "Dedup - Generic v2", "description": "Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate incidents using one of the supported methods.", "note": "Use the Dedup Generic v3 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Dedup - Generic v3", "name": "Dedup - Generic v3", "description": "Deprecated. Use the `Dedup - Generic v4` playbook instead. This playbook identifies duplicate incidents using one of the supported methods.\nSelect one of the following methods to identify duplicate incidents in Cortex XSOAR.\n- ml: Machine learning model, which is trained mostly on phishing incidents.\n-rules: Rules help identify duplicate incidents when the logic is well defined, for example, the same label or custom fields.\n-text: Statistics algorithm that compares text, which is generally useful for phishing incidents.\nFor each method, the playbook will search for the oldest similar incident. when there is a match for a similar incident the playbook will close the current incident and will link it to the older incident. ", "note": "Use the `Dedup - Generic v4` playbook instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "DeDup incidents", "name": "DeDup incidents", "description": "Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has found.\n", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "DeDup incidents - ML", "name": "DeDup incidents - ML", "description": "Deprecated. Check for duplicate incidents for the current incident, and close it if any duplicate has been found by machine-learning find duplicates automation.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Demisto Self-Defense - Account policy monitoring playbook", "name": "Demisto Self-Defense - Account policy monitoring playbook", "description": "Deprecated. Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Detonate and Analyze File - JoeSecurity", "name": "Detonate and Analyze File - JoeSecurity", "description": "Deprecated. Use the joe-submit-sample command instead.", "note": "Use the joe-submit-sample command instead.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Detonate File - CrowdStrike Falcon Intelligence Sandbox", "name": "Detonate File - CrowdStrike Falcon Intelligence Sandbox", "description": "Deprecated. Use Detonate File - CrowdStrike Falcon Intelligence Sandbox v2 instead.", "note": "Use Detonate File - CrowdStrike Falcon Intelligence Sandbox v2 instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Detonate File - FortiSandbox", "name": "Detonate File - FortiSandbox", "description": "Main playbook to upload submissions to FortiSandbox, poll for verdict. Deprecated. Use `fortisandbox-submission-file-upload` instead. and retrieve report", "note": "Use `fortisandbox-submission-file-upload` instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Detonate File - HybridAnalysis", "name": "Detonate File - HybridAnalysis", "description": "Deprecated. Use cs-falcon-sandbox-submit-sample with polling=true instead.", "note": "Use cs-falcon-sandbox-submit-sample with polling=true instead.", "maintenance_start": "Sep 01, 2022", "eol_start": "Mar 01, 2023" }, { "id": "Detonate File - JoeSecurity", "name": "Detonate File - JoeSecurity", "description": "Deprecated. Use the joe-submit-sample command instead.", "note": "Use the joe-submit-sample command instead.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Detonate File - SNDBOX", "name": "Detonate File - SNDBOX", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Detonate File - ThreatGrid", "name": "Detonate File - ThreatGrid", "description": "Deprecated. Use Detonate File - ThreatGrid v2 instead.", "note": "Use Detonate File - ThreatGrid v2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Detonate File From URL - JoeSecurity", "name": "Detonate File From URL - JoeSecurity", "description": "Deprecated. Use the joe-submit-sample command instead.", "note": "Use the joe-submit-sample command instead.", "maintenance_start": "Dec 01, 2022", "eol_start": "Jun 01, 2023" }, { "id": "Detonate File From URL - WildFire", "name": "Detonate File From URL - WildFire", "description": "Deprecated. Use Detonate File From URL - WildFire v2 instead.", "note": "Use Detonate File From URL - WildFire v2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Detonate URL - CrowdStrike", "name": "Detonate URL - CrowdStrike", "description": "Deprecated. Use the cs-falcon-sandbox-submit-url command with polling=true instead.", "note": "Use the cs-falcon-sandbox-submit-url command with polling=true instead.", "maintenance_start": "Mar 01, 2022", "eol_start": "Sep 01, 2022" }, { "id": "Detonate URL - CrowdStrike Falcon Intelligence Sandbox", "name": "Detonate URL - CrowdStrike Falcon Intelligence Sandbox", "description": "Deprecated. Use Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2 instead.", "note": "Use Detonate URL - CrowdStrike Falcon Intelligence Sandbox v2 instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Detonate URL - Generic", "name": "Detonate URL - Generic", "description": "Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation.", "note": "Use Detonate URL - Generic v1.5 playbook instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "Detonate URL - Hybrid Analysis", "name": "Detonate URL - Hybrid Analysis", "description": "Deprecated. Use cs-falcon-sandbox-submit-url with polling=true instead.", "note": "Use cs-falcon-sandbox-submit-url with polling=true instead.", "maintenance_start": "Sep 01, 2022", "eol_start": "Mar 01, 2023" }, { "id": "Detonate URL - JoeSecurity", "name": "Detonate URL - JoeSecurity", "description": "Deprecated. Use the joe-submit-url command instead.", "note": "Use the joe-submit-url command instead.", "maintenance_start": "Aug 01, 2023", "eol_start": "Feb 01, 2024" }, { "id": "Detonate URL - ThreatGrid", "name": "Detonate URL - ThreatGrid", "description": "Deprecated. Use Detonate URL - ThreatGrid v2 instead.", "note": "Use Detonate URL - ThreatGrid v2 instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Detonate URL - WildFire v2.1", "name": "Detonate URL - WildFire v2.1", "description": "Deprecated. Use Detonate URL - WildFire v2.2 instead.", "note": "Use Detonate URL - WildFire v2.2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Detonate URL - WildFire-v2", "name": "Detonate URL - WildFire-v2", "description": "Deprecated. Use Detonate URL - WildFire v2.2 instead.", "note": "Use Detonate URL - WildFire v2.2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Domain Enrichment - Generic", "name": "Domain Enrichment - Generic", "description": "Deprecated. Use \"Domain Enrichment - Generic v2\" playbook instead. Enrich Domain using one or more integrations.\nDomain enrichment includes:\n* Domain reputation\n* Threat information", "note": "Use \"Domain Enrichment - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Email Address Enrichment - Generic", "name": "Email Address Enrichment - Generic", "description": "Deprecated. Use \"Email Address Enrichment - Generic v2.1\" playbook instead. Get email address reputation using one or more integrations", "note": "Use \"Email Address Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Email Address Enrichment - Generic v2", "name": "Email Address Enrichment - Generic v2", "description": "Deprecated. Use \"Email Address Enrichment - Generic v2.1\" playbook instead. Enrich email addresses. Email address enrichment involves:\n- Getting information from Active Directory for internal addresses\n- Getting the domain-squatting reputation for external addresses", "note": "Use \"Email Address Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Endpoint data collection", "name": "Endpoint data collection", "description": "Deprecated. Generic playbook to collect data from endpoints for IR purposes. Will use whichever integrations are configured and available.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Endpoint Enrichment - Generic", "name": "Endpoint Enrichment - Generic", "description": "Deprecated. Use \"Endpoint Enrichment - Generic v2.1\" playbook instead. Enrich an Endpoint Hostname using one or more integrations", "note": "Use \"Endpoint Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Endpoint Enrichment - Generic v2", "name": "Endpoint Enrichment - Generic v2", "description": "Deprecated. Use \"Endpoint Enrichment - Generic v2.1\" playbook instead. Enrich an endpoint by hostname using one or more integrations.\nCurrently, the following integrations are supported:\n- Active Directory\n- McAfee ePolicy Orchestrator\n- Carbon Black Enterprise Response\n- Cylance Protect\n- CrowdStrike Falcon Host", "note": "Use \"Endpoint Enrichment - Generic v2.1\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Endpoint Malware Investigation - Generic", "name": "Endpoint Malware Investigation - Generic", "description": "Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack')\nThis playbook is triggered by a malware incident from an 'Endpoint' type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware.\nUsed sub-playbooks:\n- Endpoint Enrichment - Generic v2.1\n- Retrieve File from Endpoint - Generic\n- Detonate File - Generic\n- File Enrichment - Generic v2\n- Calculate Severity - Generic v2\n- Isolate Endpoint - Generic\n- Block Indicators - Generic v2", "note": "Use 'Malware Investigation & Response Incident handler' instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Endpoint Malware Investigation - Generic V2", "name": "Endpoint Malware Investigation - Generic V2", "description": "Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack')\n\n\n This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. \nThis playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type.\nTo use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs. \n ", "note": "Use 'Malware Investigation & Response Incident handler' instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Enrich DXL with ATD verdict", "name": "Enrich DXL with ATD verdict", "description": "Deprecated. Use \"Enrich DXL with ATD verdict v2\" playbook instead. Example of using McAfee ATD and pushing any malicious verdicts over DXL.\nDetonates a file in ATD and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.", "note": "Use \"Enrich DXL with ATD verdict v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Enrich McAfee DXL using 3rd party sandbox", "name": "Enrich McAfee DXL using 3rd party sandbox", "description": "Deprecated. Use \"Enrich McAfee DXL using 3rd party sandbox v2\" playbook instead. Example of bridging DXL to a third party sandbox.\nDetonate a file in Wildfire and if malicious - push its MD5, SHA1 and SHA256 hashes to McAfee DXL.", "note": "Use \"Enrich McAfee DXL using 3rd party sandbox v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Enrichment Playbook", "name": "Enrichment Playbook", "description": "Deprecated. We recommend using Entity Enrichment - Generic playbook instead. Enrich data with reputation. Data is expected to be found in the standard locations like File, URL, IP.", "note": "We recommend using Entity Enrichment - Generic playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Entity Enrichment - Generic", "name": "Entity Enrichment - Generic", "description": "Deprecated. Use \"Entity Enrichment - Generic v3\" playbook instead. Enrich entities using one or more integrations", "note": "Use \"Entity Enrichment - Generic v3\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Expanse Attribution", "name": "Expanse Attribution", "description": "Deprecated. No available replacement.\nSubplaybook for Handle Expanse Incident playbooks. Given an Expanse Issue IP, Issue Provider, Issue Domain,\nIssue Port and Issue Protocol hunts for internal activity related to the detected service.\nThe playbook looks for logs on Splunk, Cortex Data Lake, Panorama, and ServiceNow CMDB.\nReturns a list of potential owner BUs, owner Users, Device and Notes.\n", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Expanse Enrich Cloud Assets", "name": "Expanse Enrich Cloud Assets", "description": "Deprecated. No available replacement.\nSubplaybook for Handle Expanse Incident playbooks.\nThis Playbook is meant to be used as a subplaybook to enrich Public Cloud Assets (i.e. IP addresses and FQDNs) by:\n- Searching the corresponding Region and Service by correlating the provided IPs with IP range feeds retrieved from Public Cloud Providers (require TIM and Public Cloud feeds such as AWS Feed integrations to be enabled).\n- Searching IPs and FQDNs in Prisma Cloud inventory (requires Prisma Cloud).", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Expanse Find Cloud IP Address Region and Service", "name": "Expanse Find Cloud IP Address Region and Service", "description": "Deprecated. No available replacement. > Sub-playbook for Expanse Enrich Cloud Assets sub-playbook. This playbook is used to find the corresponding Public Cloud Region (i.e. AWS us-east-1) and Service (i.e. AWS EC2) for a provided IP Address. It works by correlating the provided IP address with the IP Range Indicators (CIDRs) that can be collected from Public Cloud feeds (i.e. AWS Feed) in XSOAR. CIDR Indicators must be tagged properly using the corresponding tags (i.e. AWS for AWS Feed): tags can be configured in the Feed Integrations and must match the ones provided in the inputs of this playbook. Correlation is done based on the longest match (i.e. smaller CIDR such as /20 range wins over a bigger one such as /16).", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Expanse Load-Create List", "name": "Expanse Load-Create List", "description": "Deprecated. No available replacement.\nSub-playbook to support Expanse Handle Incident playbook.\nLoads a list to be used in the Expanse playbook.\nCreates the list if it does not exist.\n", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Expanse Unmanaged Cloud", "name": "Expanse Unmanaged Cloud", "description": "Deprecated. No available replacement.\nSubplaybook for bringing rogue cloud accounts under management.\n", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Expanse VM Enrich", "name": "Expanse VM Enrich", "description": "Deprecated. No available replacement.\nThis Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by:\n- Searching the IP and / or domain of the identified Expanse asset in the vulnerability management tool\nThis playbook expects an incident with an IP or a Domain to exist in the context.\n", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Extract and Enrich Expanse Indicators", "name": "Extract and Enrich Expanse Indicators", "description": " Deprecated. No available replacement.\n Subplaybook for Handle Expanse Incident playbooks.\n Extract and Enrich Indicators (CIDRs, IPs, Certificates, Domains and DomainGlobs) from Expanse Incidents.\n Enrichment is performed via enrichIndicators command and generic playbooks.\n Returns the enriched indicators. ", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Extract Indicators - Generic", "name": "Extract Indicators - Generic", "description": "Deprecated. We recommend using extractIndicators command instead.\nExtract indicators from input data.", "note": "We recommend using extractIndicators command instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Extract Indicators From File - Generic", "name": "Extract Indicators From File - Generic", "description": "Deprecated. Use the \"Extract Indicators From File - Generic v2\" playbook instead.\\\n\\ Extracts indicators from a file.\nSupported file types:\n- PDF\n- TXT\n- HTM, HTML\n- DOC, DOCX", "note": "Use the \"Extract Indicators From File - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "ExtraHop - Ticket Tracking", "name": "ExtraHop - Ticket Tracking", "description": "Deprecated. Use the \"ExtraHop - Ticket Tracking v2\" playbook instead.\\ \\ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes.", "note": "Use the \"ExtraHop - Ticket Tracking v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Failed Login Playbook - Slack v2", "name": "Failed Login Playbook - Slack v2", "description": "Deprecated. Use the Slack - General Failed Logins v2.1 playbook. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is \"no\", then the incident severity is set to \"high\". If the reply is \"yes\", then another direct message is sent to the user asking if they require a password reset in AD.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Failed Login Playbook With Slack", "name": "Failed Login Playbook With Slack", "description": "Deprecated. Use the Failed Login - Slack v2 playbook instead.", "note": "Use the Failed Login - Slack v2 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "File Enrichment - Generic", "name": "File Enrichment - Generic", "description": "Deprecated. Use \"File Enrichment - Generic v2\" playbook instead. Enrich a file using one or more integrations.\n\nFile enrichment includes:\n* File history\n* Threat information\n* File reputation", "note": "Use \"File Enrichment - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "FortiSandbox - Loop for Job Submissions", "name": "FortiSandbox - Loop for Job Submissions", "description": "Playbook used to retrieve job id for submissions of fortisandbox using. Deprecated. Use `fortisandbox-submission-file-upload` instead. the submission id.", "note": "Use `fortisandbox-submission-file-upload` instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "FortiSandbox - Loop For Job Verdict", "name": "FortiSandbox - Loop For Job Verdict", "description": "Playbook used to retrieve the verdict for a specific job id for a sample. Deprecated. Use `fortisandbox-submission-file-upload` instead. submitted to FortiSandbox", "note": "Use `fortisandbox-submission-file-upload` instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "FortiSandbox - Upload Multiple Files", "name": "FortiSandbox - Upload Multiple Files", "description": "Playbook used to upload files to FortiSandbox. Deprecated. Use `fortisandbox-submission-file-upload` instead.", "note": "Use `fortisandbox-submission-file-upload` instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Get endpoint details - Generic", "name": "Get endpoint details - Generic", "description": "Deprecated. Use the `Endpoint Enrichment - Generic v2.1` playbook instead.\nThis playbook uses the generic command !endpoint to retrieve details on a specific endpoint.\nThis command currently supports the following integrations:\n- Palo Alto Networks Cortex XDR - Investigation and Response.\n- CrowdStrike Falcon. ", "note": "Use the `Endpoint Enrichment - Generic v2.1` playbook instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Get File Sample By Hash - Cylance Protect", "name": "Get File Sample By Hash - Cylance Protect", "description": "Deprecated. Use \"Get File Sample By Hash - Cylance Protect v2\" playbook instead.", "note": "Use \"Get File Sample By Hash - Cylance Protect v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Get File Sample By Hash - Generic", "name": "Get File Sample By Hash - Generic", "description": "Deprecated. Use \"Get File Sample By Hash - Generic v2\" playbook instead. Returns to the war-room a file sample correlating from a hash using one or more products", "note": "Use \"Get File Sample By Hash - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Get File Sample By Hash - Generic v2", "name": "Get File Sample By Hash - Generic v2", "description": "Deprecated. Use `Get File Sample By Hash - Generic v3` instead. This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:\n- Get File Sample By Hash - Carbon Black Enterprise Response\n- Get File Sample By Hash - Cylance Protect v2", "note": "Use `Get File Sample By Hash - Generic v3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Get File Sample From Path - Generic", "name": "Get File Sample From Path - Generic", "description": "Deprecated. Use `Get File Sample From Path - Generic V3` instead. Returns a file sample to the war-room from a path on an endpoint using one or more integrations\n\ninputs:\n* UseD2 - if \"True\", use Demisto Dissolvable Agent (D2) to return the file (default: False)", "note": "Use `Get File Sample From Path - Generic V3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Get File Sample From Path - Generic V2", "name": "Get File Sample From Path - Generic V2", "description": "Deprecated. Use `Get File Sample From Path - Generic V3` instead.\nThis playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:\ninputs:\n1) Get File Sample From Path - D2.\n2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).\n", "note": "Use `Get File Sample From Path - Generic V3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Get Mails By Folder Pathes", "name": "Get Mails By Folder Pathes", "description": "Deprecated. Use the \"Get Mails By Folder Paths\" playbook instead.", "note": "Use the \"Get Mails By Folder Paths\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Get Original Email - Generic", "name": "Get Original Email - Generic", "description": "Deprecated. Use the \"Get Original Email - Generic v2\" playbook under the \"Phishing\" pack instead.", "note": "Use the \"Get Original Email - Generic v2\" playbook under the \"Phishing\" pack instead.", "maintenance_start": "Mar 01, 2023", "eol_start": "Sep 01, 2023" }, { "id": "Get Original Email - Gmail", "name": "Get Original Email - Gmail", "description": "Deprecated. Use Get_Original_Email_-_Gmail_v2 instead.\nUse this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment.\n\nYou must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority\n", "note": "Use Get_Original_Email_-_Gmail_v2 instead.", "maintenance_start": "Nov 01, 2022", "eol_start": "May 01, 2023" }, { "id": "Handle Expanse Incident", "name": "Handle Expanse Incident", "description": "Deprecated. No available replacement.\nMain Playbook to Handle Expanse Incidents.\nThere are several phases:\n1. Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.\n2. Validation: the found IP and FQDN are correlated with the information available in other products:\n - Firewall logs from Strata Logging Service, Panorama, and Splunk.\n - User information from Active Directory.\n - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and service (i.e., us-west-1 on AWS EC2).\n - IP and FQDN from Prisma Cloud inventory.\n3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the company).\n4. Attribution: based on the information collected above, the analyst is prompted to assign this issue to an Organization Unit, which is a group within the company with a specific owner. The analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.\n5. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as:\n - Tagging the asset in Expanse with a specific Organization Unit tag.\n - Blocking the service on PAN-OS (if a firewall is deployed in front of the service).\n - Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it)\n - Adding the service to a Vulnerability Management system\n - Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory)\n - Bringing rogue cloud accounts under management", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Handle Expanse Incident - Attribution Only", "name": "Handle Expanse Incident - Attribution Only", "description": " Deprecated. No available replacement.\n Shorter version of Handle Expanse Incident playbook with only the Attribution part.\n\nThere are several phases:\n1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.\n2. Validation: the found IP and FQDN are correlated with the information available in other products:\n - Firewall logs from Strata Logging Service, Panorama and Splunk\n - User information from Active Directory\n - Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2)\n - IP and FQDN from Prisma Cloud inventory\n3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company).\n4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "Hunt Extracted Hashes", "name": "Hunt Extracted Hashes", "description": "Deprecated. Use the Hunt Extracted Hashes V2 playbook instead. This playbook extracts IOCs from the incident details and attached\\ \\ files using regular expressions and then hunts for hashes on endpoints in the organization\\ \\ using available tools.\\nThe playbook supports multiple types of attachments. For\\ \\ the full supported attachments list, refer to \\\"Extract Indicators From\\ \\ File - Generic v2\\\".", "note": "Use the Hunt Extracted Hashes V2 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Hunt for bad IOCs", "name": "Hunt for bad IOCs", "description": "Deprecated. Use the Search Endpoints By Hash playbook. Assume that malicious IOCs are in the right place in the context and start hunting using available tools.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Hunting C&C Communication Playbook", "name": "Hunting C&C Communication Playbook", "description": "Deprecated. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Hybrid-analysis quick-scan", "name": "Hybrid-analysis quick-scan", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Sep 01, 2022", "eol_start": "Mar 01, 2023" }, { "id": "Incident Enrichment", "name": "Incident Enrichment", "description": "Deprecated. We recommend using Default playbook instead. Enrich data with reputation from the incident. Data is extracted to the standard locations like File, URL, IP.", "note": "We recommend using Default playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "IP Enrichment - Generic", "name": "IP Enrichment - Generic", "description": "Deprecated. Enrich IP using one or more integrations.\n\nIP enrichment includes:\n* Resolve IP to Hostname (DNS)\n* Threat information\n* Separate internal and external addresses\n* IP reputation\n* For internal addresses, get host information", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Isolate Endpoint - Generic", "name": "Isolate Endpoint - Generic", "description": "Deprecated. Use the \"Isolate Endpoint - Generic V2\" playbook instead.", "note": "Use the \"Isolate Endpoint - Generic V2\" playbook instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Launch Scan - Tenable.sc", "name": "Launch Scan - Tenable.sc", "description": "Deprecated. Use tenable-sc-launch-scan-report command instead.", "note": "Use tenable-sc-launch-scan-report command instead.", "maintenance_start": "Jul 01, 2023", "eol_start": "Jan 01, 2024" }, { "id": "Malware Investigation - Generic", "name": "Malware Investigation - Generic", "description": "Deprecated. Use \"Endpoint Malware Investigation - Generic\" playbook instead. Investigate a malware using one or more integrations", "note": "Use \"Endpoint Malware Investigation - Generic\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Malware Investigation - Generic - Setup", "name": "Malware Investigation - Generic - Setup", "description": "Deprecated. Verify file sample and hostname information for the \"Malware Investigation - Generic\" playbook.\nIf the file sample or hostname are missing, the playbook will attempt to retrieve them using one or more integrations", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Malware Investigation - Manual", "name": "Malware Investigation - Manual", "description": "Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack')\nMaster playbook for investigating suspected malware presence on an endpoint.\nLabels:\n - System: the hostname for the endpoint being investigated", "note": "Use 'Malware Investigation & Response Incident handler' instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Malware Playbook - Manual", "name": "Malware Playbook - Manual", "description": "Deprecated. Use \"Malware Investigation - Manual\" playbook instead. Master playbook for investigating suspected malware presence on an endpoint.\nLabels:\n - System: the hostname for the endpoint being investigated", "note": "Use \"Malware Investigation - Manual\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "McAfee ePO Endpoint Compliance Playbook", "name": "McAfee ePO Endpoint Compliance Playbook", "description": "Deprecated. Use \"McAfee ePO Endpoint Compliance Playbook v2\" playbook instead. Discover endpoints that are not using the latest McAfee AV Signatures", "note": "Use \"McAfee ePO Endpoint Compliance Playbook v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "McAfee ePO Endpoint Connectivity Diagnostics Playbook", "name": "McAfee ePO Endpoint Connectivity Diagnostics Playbook", "description": "Deprecated. Use \"McAfee ePO Endpoint Connectivity Diagnostics Playbook V2\" playbook instead. Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.", "note": "Use \"McAfee ePO Endpoint Connectivity Diagnostics Playbook V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "McAfee ePO Repository Compliance Playbook", "name": "McAfee ePO Repository Compliance Playbook", "description": "Deprecated. Use \"McAfee ePO Repository Compliance Playbook v2\" playbook instead. Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).", "note": "Use \"McAfee ePO Repository Compliance Playbook v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "NSA - 5 Security Vulnerabilities Under Active Nation-State Attack", "name": "NSA - 5 Security Vulnerabilities Under Active Nation-State Attack", "description": "Deprecated. No available replacement. Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation.\nThis playbook should be trigger manually and includes the following tasks:\n- Enrich related known CVEs reported in the US agencies alert.\n- Search for unpatched endpoints vulnerable to the exploits.\n- Search for vulnerable assets facing the internet using Expanse.\n\nNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. \n\nMore information:\n[Cyber Security Advisory] (https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF)", "note": "No available replacement.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" }, { "id": "O365 - Security And Compliance - Search", "name": "O365 - Security And Compliance - Search", "description": "Deprecated. Use the Microsoft Graph Security - Search And Delete Emails playbook instead.\nThis playbook performs the following steps:\n1. Creates a compliance search.\n2. Starts a compliance search.\n3. Waits for the compliance search to complete.\n4. Gets the results of the compliance search as an output.\n5. Gets the preview results, if specified.", "note": "Use the Microsoft Graph Security - Search And Delete Emails playbook instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "O365 - Security And Compliance - Search Action - Delete", "name": "O365 - Security And Compliance - Search Action - Delete", "description": "Deprecated. Use the Microsoft Graph Security - Search And Delete Emails playbook instead.\nThis playbook performs the following steps:\n1. Creates a new compliance search action Purge - Hard or Soft.\n2. Waits for the compliance search action to complete.\n3. Retrieves the delete search action.", "note": "Use the Microsoft Graph Security - Search And Delete Emails playbook instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "O365 - Security And Compliance - Search Action - Preview", "name": "O365 - Security And Compliance - Search Action - Preview", "description": "Deprecated. Use the Microsoft Graph Security - Search And Delete Emails playbook instead.\nThis playbook perform:\n1. Creates a new compliance search action - Preview (Base on created compliance search).\n2. Waits for the preview action to complete.\n3. Retrieves the preview results.", "note": "Use the Microsoft Graph Security - Search And Delete Emails playbook instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "O365 - Security And Compliance - Search And Delete", "name": "O365 - Security And Compliance - Search And Delete", "description": "Deprecated. Use the Microsoft Graph Security - Search And Delete Emails playbook instead.\nThis playbook performs the following steps:\n1. Creates a compliance search.\n2. Starts a compliance search.\n3. Waits for the compliance search to complete.\n4. Gets the results of the compliance search.\n5. Gets the preview results, if specified.\n6. Deletes the search results (Hard/Soft).", "note": "Use the Microsoft Graph Security - Search And Delete Emails playbook instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "Office 365 Search and Delete", "name": "Office 365 Search and Delete", "description": "Deprecated. Use the Microsoft Graph Security - Search And Delete Emails playbook instead. This playbook runs a ComplianceSearch on Office 365 and delete the results.", "note": "Use the Microsoft Graph Security - Search And Delete Emails playbook instead.", "maintenance_start": "Jul 01, 2026", "eol_start": "Jan 01, 2027" }, { "id": "Palo Alto Networks - Endpoint Malware Investigation", "name": "Palo Alto Networks - Endpoint Malware Investigation", "description": "Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. \nThe analyst can perform a manual memory dump for the suspected endpoint based on the incident\u2019s severity, and choose to isolate the source endpoint with Traps.\nHunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories.\nAfter the investigation review the incident is automatically closed.", "note": "Use Malware Investigation and Response pack instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Palo Alto Networks - Endpoint Malware Investigation v2", "name": "Palo Alto Networks - Endpoint Malware Investigation v2", "description": "Deprecated. Use the \"Palo Alto Networks - Endpoint Malware Investigation v3\"\\ \\ playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert,\\ \\ generated by Traps. The playbook performs host enrichment for the source host\\ \\ with Palo Alto Networks Traps, enriches information for the suspicious file with\\ \\ Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation\\ \\ for the extracted file. It then performs IOC enrichment with Minemeld for all\\ \\ related IOCs, and calculates the incident severity based on all the findings.\\ \\ In addition we detonate the file for the full analysis report. \\nThe analyst can\\ \\ perform a manual memory dump for the suspected endpoint based on the incident\u2019s\\ \\ severity, and choose to isolate the source endpoint with Traps.\\nHunting tasks\\ \\ to find more endpoints that are infected is performed automatically based on a\\ \\ playbook input, and after all infected endpoints are found, remediation for all\\ \\ malicious IOCs is performed, including file quarantine, and IP and URLs blocking\\ \\ with Palo Alto Networks FireWall components such as Dynamic Address Groups and\\ \\ Custom URL Categories.\\nAfter the investigation review the incident is automatically\\ \\ closed.", "note": "Use the \"Palo Alto Networks - Endpoint Malware Investigation v3\"\\ \\ playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Palo Alto Networks - Endpoint Malware Investigation v3", "name": "Palo Alto Networks - Endpoint Malware Investigation v3", "description": "Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. \nThe analyst can perform a manual memory dump for the suspected endpoint based on the incident\u2019s severity, and choose to isolate the source endpoint with Traps.\nHunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories.\nAfter the investigation review the incident is automatically closed.", "note": "Use Malware Investigation and Response pack instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Palo Alto Networks - Malware Remediation", "name": "Palo Alto Networks - Malware Remediation", "description": "Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.", "note": "Use Malware Investigation and Response pack instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "PAN-OS - Block Domain - External Dynamic List", "name": "PAN-OS - Block Domain - External Dynamic List", "description": "Deprecated. Use Generic Export Indicators Service instead.", "note": "Use Generic Export Indicators Service instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "PAN-OS - Block IP and URL - External Dynamic List", "name": "PAN-OS - Block IP and URL - External Dynamic List", "description": "Deprecated. Use \"PAN-OS - Block IP and URL - External Dynamic List v2\" playbook instead. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.\nIt checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IPs and URLs to the relevant lists.", "note": "Use \"PAN-OS - Block IP and URL - External Dynamic List v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PAN-OS - Block IP and URL - External Dynamic List v2", "name": "PAN-OS - Block IP and URL - External Dynamic List v2", "description": "Deprecated. Use Generic Export Indicators Service instead.", "note": "Use Generic Export Indicators Service instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "PAN-OS Commit Configuration", "name": "PAN-OS Commit Configuration", "description": "Deprecated. Use PAN-OS Commit Configuration v2 instead.", "note": "Use PAN-OS Commit Configuration v2 instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "PAN-OS EDL Service Configuration", "name": "PAN-OS EDL Service Configuration", "description": "Deprecated. No available replacement. This single-run playbook enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service for system indicators, and configures PAN-OS EDL Objects and the respective firewall policy rules.\nThe EDLs will continuously update for each indicator that matches the query syntax input in the playbook \n(to validate to which indicators the query applied, you need to enter the query syntax from the indicator tab at the top of the playbook inputs window as well). \nIf both the IP and URL indicator types exist in the query, it sorts the indicators into two EDLs, IP and URL. If only one indicator type exists in the query, only one EDL is created. \nThe playbook then creates EDL objects directing to the indicator lists and firewall policy rules in PAN-OS. \n- It is recommended to configure a dedicated EDL Service instance for the usage of this playbook.\n- If necessary to edit or update the EDL query after this playbook run, use the panorama-edit-edl command and panorama integration to update the URL containing the indicator query syntax.", "note": "No available replacement.", "maintenance_start": "Feb 01, 2022", "eol_start": "Aug 01, 2022" }, { "id": "PAN-OS EDL Setup", "name": "PAN-OS EDL Setup", "description": "Deprecated. Use PAN-OS EDL Setup v3 playbook instead. Configures an external dynamic list in PAN-OS.\\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.", "note": "Use PAN-OS EDL Setup v3 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PAN-OS EDL Setup v2", "name": "PAN-OS EDL Setup v2", "description": "Deprecated. Use \"PAN-OS EDL Setup v3\" playbook instead. Configures an external dynamic list in PAN-OS.\nIn the event that the file exists on the web server, it will sync it to demisto. Then it will create an EDL object and a matching rule.", "note": "Use \"PAN-OS EDL Setup v3\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PAN-OS EDL Setup v3", "name": "PAN-OS EDL Setup v3", "description": "Deprecated. Use Generic Export Indicators Service instead.", "note": "Use Generic Export Indicators Service instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "PanoramaCommitConfiguration", "name": "PanoramaCommitConfiguration", "description": "Deprecated. - Use PAN-OS Commit Configuration instead.\\nIf specified as Panorama, will also push the Policies to the specified Device Group in the instance. (please use pan-os-commit-configuration instead)", "note": "- Use PAN-OS Commit Configuration instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PanoramaQueryTrafficLogs", "name": "PanoramaQueryTrafficLogs", "description": "Deprecated. Use \"PAN-OS Query Logs For Indicators\" playbook instead. Queries traffic logs in a PAN-OS Panorama or Firewall device.", "note": "Use \"PAN-OS Query Logs For Indicators\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PANW - Hunting and threat detection by indicator type", "name": "PANW - Hunting and threat detection by indicator type", "description": "Deprecated. Use the \"PANW - Hunting and threat detection by indicator type V2\" playbook instead.", "note": "Use the \"PANW - Hunting and threat detection by indicator type V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PANW - Hunting and threat detection by indicator type V2", "name": "PANW - Hunting and threat detection by indicator type V2", "description": "Deprecated. Use the \"Palo Alto Networks - Hunting And Threat Detection\"\\ \\ playbook instead. Integrations list - Cortex (Traps, PAN-OS, Analytics)\\nThis is a multipurpose\\ \\ playbook used for hunting and threat detection. The playbook receives inputs based\\ \\ on hashes, IP addresses, or domain names provided manually or from outputs by\\ \\ other playbooks. \\nWith the received indicators, the playbook leverages Palo Alto\\ \\ Cortex data received by products such as Traps, Analytics and Pan-OS to search\\ \\ for IP addresses and hosts related to that specific hash. \\nThe output provided\\ \\ by the playbook facilitates pivoting searches for possibly affected hosts, IP\\ \\ addresses, or users.", "note": "Use the \"Palo Alto Networks - Hunting And Threat Detection\"\\ \\ playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "PANW Threat Vault - Signature Search", "name": "PANW Threat Vault - Signature Search", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Phishing - Core", "name": "Phishing - Core", "description": "Deprecated. Use Phishing - Core v2 instead.", "note": "Use Phishing - Core v2 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "Phishing Investigation - Generic", "name": "Phishing Investigation - Generic", "description": "Deprecated. Use \"Phishing Investigation - Generic v2\" playbook instead. Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.\nThe final remediation tasks are always decided by a human analyst.", "note": "Use \"Phishing Investigation - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Phishing Investigation - Generic v2", "name": "Phishing Investigation - Generic v2", "description": "Deprecated. Use Phishing - Generic v3 instead.", "note": "Use Phishing - Generic v3 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "Phishing Playbook - Automated", "name": "Phishing Playbook - Automated", "description": "Deprecated. We recommend using Phishing investigation - Generic playbook instead.\nThis is an automated playbook to investigate suspected Phishing attempts.\nIt picks up the required information from the incident metadata as created by the mail listener.\nLabels:\n- Email/from: Email address of the user targeted by the suspected phishing attempt, who reported the email by forwarding it\n- Email: the to recipients\n- Email/cc: the cc recipients\n- Email/format: the format of the email - text / html / etc.\n- Email/html: the html body\n- Email/text: the text body\n- Email/subject: subject of the email\n- Email/attachments: list of attachments\n- Email/headers: the headers for the email", "note": "We recommend using Phishing investigation - Generic playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Prisma Cloud - Find AWS Resource by FQDN", "name": "Prisma Cloud - Find AWS Resource by FQDN", "description": "Deprecated. Use Prisma Cloud - Find AWS Resource by FQDN v2 instead.\nFind AWS resources by FQDN using Prisma Cloud inventory.\nSupported services: EC2, Application Load Balancer, ECS, Route53, CloudFront, S3, API Gateway.\n", "note": "Use Prisma Cloud - Find AWS Resource by FQDN v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud - Find AWS Resource by Public IP", "name": "Prisma Cloud - Find AWS Resource by Public IP", "description": "Deprecated. Use Prisma Cloud - Find AWS Resource by Public IP v2 instead.\nFind AWS resources by Public IP using Prisma Cloud inventory.\nSupported services: EC2, Network Load Balancer, ECS, Route53.\n", "note": "Use Prisma Cloud - Find AWS Resource by Public IP v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud - Find Azure Resource by FQDN", "name": "Prisma Cloud - Find Azure Resource by FQDN", "description": "Deprecated. Use Prisma Cloud - Find Azure Resource by FQDN v2 instead.\nFind Azure resources by FQDN using Prisma Cloud inventory.\nSupported services: Azure VM, Azure Load Balancer, Azure Application Gateway, AKS, Azure Web Apps, Azure Storage.\n", "note": "Use Prisma Cloud - Find Azure Resource by FQDN v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud - Find Azure Resource by Public IP", "name": "Prisma Cloud - Find Azure Resource by Public IP", "description": "Deprecated. Use Prisma Cloud - Find Azure Resource by Public IP v2 instead.\nFind Azure resources by Public IP using Prisma Cloud inventory.\nSupported services: Azure VM, Azure Load Balancer, Azure Application Gateway, Azure Web Apps.\n", "note": "Use Prisma Cloud - Find Azure Resource by Public IP v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud - Find GCP Resource by FQDN", "name": "Prisma Cloud - Find GCP Resource by FQDN", "description": "Deprecated. Use Prisma Cloud - Find GCP Resource by FQDN v2 instead.\nFind GCP resources by FQDN using Prisma Cloud inventory.\nSupported services: Cloud DNS.\n", "note": "Use Prisma Cloud - Find GCP Resource by FQDN v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud - Find GCP Resource by Public IP", "name": "Prisma Cloud - Find GCP Resource by Public IP", "description": "Deprecated. Use Prisma Cloud - Find GCP Resource by Public IP v2 instead.\nFind GCP resources by Public IP using Prisma Cloud inventory.\nSupported services: GCE, Load Balancing, GKE.\n", "note": "Use Prisma Cloud - Find GCP Resource by Public IP v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Compute - Audit Alert", "name": "Prisma Cloud Compute - Audit Alert", "description": "Deprecated. Use \"Prisma Cloud Compute - Audit Alert v3\" instead. Default playbook for parsing Prisma Cloud Compute audit alerts", "note": "Use \"Prisma Cloud Compute - Audit Alert v3\" instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Prisma Cloud Compute - Audit Alert v2", "name": "Prisma Cloud Compute - Audit Alert v2", "description": "Deprecated. Use \"Prisma Cloud Compute - Audit Alert v3\" instead. Default playbook for parsing and enrichment of Prisma Cloud Compute audit alerts.", "note": "Use \"Prisma Cloud Compute - Audit Alert v3\" instead.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Prisma Cloud Compute - Compliance Alert", "name": "Prisma Cloud Compute - Compliance Alert", "description": "Deprecated. Use Prisma Cloud Compute - Compliance Alert v2 instead.", "note": "Use Prisma Cloud Compute - Compliance Alert v2 instead.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Prisma Cloud Correlate Alerts", "name": "Prisma Cloud Correlate Alerts", "description": "Deprecated. Use Prisma Cloud Correlate Alerts v2 instead. Search alerts in Prisma Cloud for a specific asset ID and, if present in XSOAR, link them.", "note": "Use Prisma Cloud Correlate Alerts v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - AWS CloudTrail Misconfiguration", "name": "Prisma Cloud Remediation - AWS CloudTrail Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud AWS CloudTrail alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions\n - AWS CloudTrail is not enabled in all regions\n - AWS CloudTrail Trail Is Not Integrated With CloudWatch Logs\n - AWS CloudTrail is not enabled on the account", "note": "Use Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration", "name": "Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation:\n- AWS Default Security Group Does Not Restrict All Traffic\n- AWS Security Groups Allow Internet Traffic\n- AWS Security Groups With Inbound Rule Overly Permissive To All Traffic\n- AWS Security Groups allow internet traffic from internet to FTP-Data port (20)\n- AWS Security Groups allow internet traffic from internet to FTP port (21)\n- AWS Security Groups allow internet traffic to SSH port (22)\n- AWS Security Group allows all traffic on SSH port (22)\n- AWS Security Groups allow internet traffic from internet to Telnet port (23)\n- AWS Security Groups allow internet traffic from internet to SMTP port (25)\n- AWS Security Groups allow internet traffic from internet to DNS port (53)\n- AWS Security Groups allow internet traffic from internet to Windows RPC port (135)\n- AWS Security Groups allow internet traffic from internet to NetBIOS port (137)\n- AWS Security Groups allow internet traffic from internet to NetBIOS port (138)\n- AWS Security Groups allow internet traffic from internet to CIFS port (445)\n- AWS Security Groups allow internet traffic from internet to SQLServer port (1433)\n- AWS Security Groups allow internet traffic from internet to SQLServer port (1434)\n- AWS Security Groups allow internet traffic from internet to MYSQL port (3306)\n- AWS Security Groups allow internet traffic from internet to RDP port (3389)\n- AWS Security Groups allow internet traffic from internet to MSQL port (4333)\n- AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432)\n- AWS Security Groups allow internet traffic from internet to VNC Listener port (5500)\n- AWS Security Groups allow internet traffic from internet to VNC Server port (5900)\n", "note": "Use Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - AWS IAM Policy Misconfiguration", "name": "Prisma Cloud Remediation - AWS IAM Policy Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 instead. This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps.", "note": "Use Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - Azure AKS Misconfiguration", "name": "Prisma Cloud Remediation - Azure AKS Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - Azure AKS Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud Azure AKS alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n- Azure AKS cluster monitoring not enabled\n- Azure AKS cluster HTTP application routing enabled\n", "note": "Use Prisma Cloud Remediation - Azure AKS Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - Azure Network Misconfiguration", "name": "Prisma Cloud Remediation - Azure Network Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - Azure Network Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud Azure Network alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n\n- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol\n- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol\n- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol\n- Azure Network Security Group (NSG) allows SSH traffic from internet on port 22\n- Azure Network Security Group (NSG) allows traffic from internet on port 3389\n- Azure Network Security Group allows DNS (TCP Port 53)\n- Azure Network Security Group allows FTP (TCP Port 21)\n- Azure Network Security Group allows FTP-Data (TCP Port 20)\n- Azure Network Security Group allows MSQL (TCP Port 4333)\n- Azure Network Security Group allows MySQL (TCP Port 3306)\n- Azure Network Security Group allows Windows RPC (TCP Port 135)\n- Azure Network Security Group allows Windows SMB (TCP Port 445)\n- Azure Network Security Group allows PostgreSQL (TCP Port 5432)\n- Azure Network Security Group allows SMTP (TCP Port 25)\n- Azure Network Security Group allows SqlServer (TCP Port 1433)\n- Azure Network Security Group allows Telnet (TCP Port 23)\n- Azure Network Security Group allows VNC Listener (TCP Port 5500)\n- Azure Network Security Group allows all traffic on ICMP (Ping)\n- Azure Network Security Group allows CIFS (UDP Port 445)\n- Azure Network Security Group allows NetBIOS (UDP Port 137)\n- Azure Network Security Group allows NetBIOS (UDP Port 138)\n- Azure Network Security Group allows SQLServer (UDP Port 1434)\n- Azure Network Security Group allows DNS (UDP Port 53)", "note": "Use Prisma Cloud Remediation - Azure Network Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - Azure SQL Misconfiguration", "name": "Prisma Cloud Remediation - Azure SQL Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - Azure SQL Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud Azure SQL alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n\n- Azure SQL database auditing is disabled\n- Azure SQL Database with Auditing Retention less than 90 days\n- Azure Threat Detection on SQL databases is set to Off\n- Azure SQL Database with Threat Retention less than or equals to 90 days", "note": "Use Prisma Cloud Remediation - Azure SQL Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - Azure Storage Misconfiguration", "name": "Prisma Cloud Remediation - Azure Storage Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - Azure Storage Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud Azure Storage alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n\n- Azure storage account has a blob container with public access\n- Azure storage account logging for blobs is disabled\n- Azure Storage Accounts without Secure transfer enabled\n- Azure storage account logging for queues is disabled\n- Azure storage account logging for tables is disabled #95", "note": "Use Prisma Cloud Remediation - Azure Storage Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - GCP Compute Engine Misconfiguration", "name": "Prisma Cloud Remediation - GCP Compute Engine Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n - GCP VM instances have serial port access enabled\n - GCP VM instances have block project-wide SSH keys feature disabled\n - GCP VM instances without any custom metadata information\n", "note": "Use Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration", "name": "Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n* GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled\n* GCP Kubernetes Engine Clusters have HTTP load balancing disabled\n* GCP Kubernetes Engine Clusters have Legacy Authorization enabled\n* GCP Kubernetes Engine Clusters have Master authorized networks disabled\n* GCP Kubernetes Engine Clusters have Network policy disabled\n* GCP Kubernetes Engine Clusters have Stackdriver Logging disabled\n* GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled\n* GCP Kubernetes Engine Clusters have binary authorization disabled\n* GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled\n* GCP Kubernetes cluster intra-node visibility disabled\n", "note": "Use Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Prisma Cloud Remediation - GCP VPC Network Misconfiguration", "name": "Prisma Cloud Remediation - GCP VPC Network Misconfiguration", "description": "Deprecated. Use Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2 instead.\nThis playbook remediates Prisma Cloud GCP VPC Network alerts. It calls sub-playbooks that perform the actual remediation steps.\n\nRemediation:\n\n - GCP project is using the default network\n - GCP Firewall rule allows internet traffic to FTP port (21)\n - GCP Firewall rule allows internet traffic to HTTP port (80)\n - GCP Firewall rule allows internet traffic to MongoDB port (27017)\n - GCP Firewall rule allows internet traffic to MySQL DB port (3306)\n - GCP Firewall rule allows internet traffic to Oracle DB port (1521)\n - GCP Firewall rule allows internet traffic to PostgreSQL port (5432)\n - GCP Firewall rule allows internet traffic to RDP port (3389)\n - GCP Firewall rule allows internet traffic to SSH port (22)\n - GCP Firewall rule allows internet traffic to Telnet port (23)\n - GCP Firewall rule allows internet traffic to DNS port (53)\n - GCP Firewall rule allows internet traffic to Microsoft-DS port (445)\n - GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)\n - GCP Firewall rule allows internet traffic to POP3 port (110)\n - GCP Firewall rule allows internet traffic to SMTP port (25)\n - GCP Default Firewall rule should not have any rules (except http and https)\n - GCP Firewall with Inbound rule overly permissive to All Traffic", "note": "Use Prisma Cloud Remediation - GCP VPC Network Misconfiguration v2 instead.", "maintenance_start": "May 01, 2023", "eol_start": "Nov 01, 2023" }, { "id": "Process Email", "name": "Process Email", "description": "Deprecated. We recommend using Process Email - Generic playbook instead. Add email details into the relevant context entities and handle the case where you have attached original emails.", "note": "We recommend using Process Email - Generic playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Process Email - Add custom fields", "name": "Process Email - Add custom fields", "description": "Deprecated. We recommend using Process Email - Generic playbook instead. Process email - Add email data to a phishing incident's custom fields", "note": "We recommend using Process Email - Generic playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Process Email - Core", "name": "Process Email - Core", "description": "Deprecated. Use Process Email - Core v2 instead.", "note": "Use Process Email - Core v2 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "Process Email - Generic", "name": "Process Email - Generic", "description": "Deprecated. Use Process Email - Generic v2 instead.", "note": "Use Process Email - Generic v2 instead.", "maintenance_start": "Feb 01, 2023", "eol_start": "Aug 01, 2023" }, { "id": "QRadar - Get offense correlations", "name": "QRadar - Get offense correlations", "description": "Deprecated. Use the `QRadar - Get offense correlations v2` instead.\\\"\\nRun on a QRadar offense to get more information\\n\\n* Get all correlations relevant to the offense\\n* Get all logs relevant to the correlations (not done by default, set \"GetCorrelationLogs\\\" to \\\"True\\\")\\n\\nInputs-\\n* GetCorrelationLogs (default - False)\\n* MaxLogsCount (default - 20)", "note": "Use the `QRadar - Get offense correlations v2` instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "QRadar - Get offense correlations v2", "name": "QRadar - Get offense correlations v2", "description": "Deprecated. Use the \"QRadar - Get Offense Logs\" playbook instead.\n Run on a QRadar offense to get more information:\n\n * Get all correlations relevant to the offense\n * Get all logs relevant to the correlations (not done by default - set \"GetCorrelationLogs\" to \"True\")\n\n Inputs:\n * GetCorrelationLogs (default: False)\n * MaxLogsCount (default: 20)", "note": "Use the \"QRadar - Get Offense Logs\" playbook instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "QRadar Indicator Hunting", "name": "QRadar Indicator Hunting", "description": "Deprecated. Use the \"QRadar Indicator Hunting V2\" playbook instead.", "note": "Use the \"QRadar Indicator Hunting V2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "QRadarCorrelationLog", "name": "QRadarCorrelationLog", "description": "Deprecated. Use the \"QRadar - Get Offense Logs\"\\ \\ playbook instead. This playbook retrieves the correlation logs of multiple QIDs.", "note": "Use the \"QRadar - Get Offense Logs\"\\ \\ playbook instead.", "maintenance_start": "Dec 01, 2021", "eol_start": "Jun 01, 2022" }, { "id": "QRadarFullSearch", "name": "QRadarFullSearch", "description": "Deprecated.Use the following command instead `qradar-search-retrieve-results`.\nThis playbook runs a QRadar query and return its results to the context.", "note": "Use the following command instead `qradar-search-retrieve-results`.", "maintenance_start": "Jan 01, 2024", "eol_start": "Jul 01, 2024" }, { "id": "Rapid IOC Hunting Playbook", "name": "Rapid IOC Hunting Playbook", "description": "Deprecated. Use the Hunt File Hash playbook instead. Playbook to quickly react to discovery of new IOCs. Receive a list of IOCs as attached text / csv files, extract IOCs using regular expressions and hunt rapidly across the infrastructure using various integrations. Also supports attaching multiple files.", "note": "Use the Hunt File Hash playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Retrieve File from Endpoint - Generic", "name": "Retrieve File from Endpoint - Generic", "description": "Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. \nThis playbook retrieves a file sample from an endpoint using the following playbooks:\n- Get File Sample From Path - Generic\n- Get File Sample By Hash - Generic v2", "note": "Use `Retrieve File from Endpoint - Generic V3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Retrieve File from Endpoint - Generic V2", "name": "Retrieve File from Endpoint - Generic V2", "description": "Deprecated. Use `Retrieve File from Endpoint - Generic V3` instead. \n'This playbook retrieves a file sample from an endpoint using the following playbooks:'\n- Get File Sample From Path - Generic v2.\n- Get File Sample By Hash - Generic v3.", "note": "Use `Retrieve File from Endpoint - Generic V3` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Run Panorama Best Practice Assessment (Deprecated)", "name": "Run Panorama Best Practice Assessment", "description": "Deprecated. Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "note": "Use Palo Alto Networks AIops instead, run aiops-bpa-report-generate command.", "maintenance_start": "May 01, 2024", "eol_start": "Nov 01, 2024" }, { "id": "Scan Assets - Nexpose", "name": "Scan Assets - Nexpose", "description": "Deprecated. Use the \"Scan Site - Nexpose\" playbook instead.", "note": "Use the \"Scan Site - Nexpose\" playbook instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Search And Delete Emails - Generic", "name": "Search And Delete Emails - Generic", "description": "Deprecated. Use `Search And Delete Emails - Generic v2` instead. This playbook searches and delete emails with similar attributes of a malicious email.", "note": "Use `Search And Delete Emails - Generic v2` instead.", "maintenance_start": "Apr 01, 2023", "eol_start": "Oct 01, 2023" }, { "id": "Search Endpoints By Hash - Carbon Black Response", "name": "Search Endpoints By Hash - Carbon Black Response", "description": "Deprecated. Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead. Hunt for malicious indicators using Carbon Black.", "note": "Use the Search Search Endpoints By Hash - Carbon Black Response V2 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Search Endpoints By Hash - CrowdStrike", "name": "Search Endpoints By Hash - CrowdStrike", "description": "Deprecated. Use CrowdStrike Falcon instead.", "note": "Use CrowdStrike Falcon instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Search Endpoints By Hash - Generic", "name": "Search Endpoints By Hash - Generic", "description": "Deprecated. Use the Search Endpoints By Hash - Generic V2 playbook instead. Hunt using available tools", "note": "Use the Search Endpoints By Hash - Generic V2 playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Tanium Demo Playbook", "name": "Tanium Demo Playbook", "description": "Deprecated. No available replacement. This playbook shows how to use automation scripts to interact with Tanium.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Traps Blacklist File", "name": "Traps Blacklist File", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Traps Isolate Endpoint", "name": "Traps Isolate Endpoint", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Traps Quarantine Event", "name": "Traps Quarantine Event", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Traps Retrieve And Download Files", "name": "Traps Retrieve And Download Files", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "Traps Scan Endpoint", "name": "Traps Scan Endpoint", "description": "Deprecated. Use CortexXDR instead.", "note": "Use CortexXDR instead.", "maintenance_start": "Jul 01, 2022", "eol_start": "Jan 01, 2023" }, { "id": "TrendMicro Malware Alert Playbook", "name": "TrendMicro Malware Alert Playbook", "description": "Deprecated. No available replacement.", "note": "No available replacement.", "maintenance_start": "Aug 01, 2022", "eol_start": "Feb 01, 2023" }, { "id": "URL Enrichment - Generic", "name": "URL Enrichment - Generic", "description": "Deprecated. Use \"URL Enrichment - Generic v2\" playbook instead. Enrich URL using one or more integrations.\n\nURL enrichment includes:\n* Verify URL SSL\n* Threat information\n* URL reputaiton\n* Take URL screenshot", "note": "Use \"URL Enrichment - Generic v2\" playbook instead.", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Vulnerability Handling - Qualys", "name": "Vulnerability Handling - Qualys", "description": "Deprecated. Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.\n\nBefore you run this playbook, run the \"Vulnerability Management - Qualys (Job)\" playbook.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Vulnerability Handling - Qualys - Add custom fields to default layout", "name": "Vulnerability Handling - Qualys - Add custom fields to default layout", "description": "Deprecated. Add information about the vulnerability and asset from the \"Vulnerability Handling - Qualys\" playbook data to the default \"Vulnerability\" layout.", "note": "", "maintenance_start": "Jun 01, 2021", "eol_start": "Dec 01, 2021" }, { "id": "Vulnerability Management - Nexpose (Job)", "name": "Vulnerability Management - Nexpose (Job)", "description": "Deprecated. No available replacement. Manage assets vulnerabilities using Nexpose.\n\nThis playbook runs as a job, and by default creates incidents of type \"Vulnerability\" based on assets and vulnerabilities.\nThe incidents are created by querying Nexpose for the input assets vulnerability list.\nYou can define the minimum severity (minSeverity) that incidents are created for.\nDuplicate incidents are not created for the same asset ID and the Nexpose ID.\n\nThis playbook is a part of a series of playbooks for Nexpose vulnerability management and remediation.\nFor this series of playbooks to run successfully, create a Job and do the following:\n1. Assign this playbook to the Job\n2. Enter the relevant assets' hostnames in the playbook inputs (comma separated list).\n3. Associate the \"Vulnerability\" type incident to the \"Vulnerability Handling - Nexpose\" playbook.", "note": "No available replacement.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "Vulnerability Management - Qualys (Job)", "name": "Vulnerability Management - Qualys (Job)", "description": "Deprecated. Use the `Vulnerability Management - Qualys (Job) - V2` playbook instead.\nUse the latest Qualys report to manage vulnerabilities.\n\nThis playbook runs as a job, and by default creates incidents of type \"Vulnerability\" based on assets and vulnerabilities.\nThe incidents are created from the latest version of the report determined by the report timestamp.\nYou can define the minimum severity (minSeverity) that incidents are created for.\nDuplicate incidents are not created for the same asset ID and QID.\n\nThis playbook is a part of a series of playbooks for Qualys vulnerability management and remediation.\nFor this series of playbooks to run successfully, create a Job and do the following:\n1. Assign this playbook to the Job\n2. Enter the Qualys XML report name into the \"Details\" field\n3. Associate the \"Vulnerability\" type incident to the \"Vulnerability Handling - Qualys\" playbook.", "note": "Use the `Vulnerability Management - Qualys (Job) - V2` playbook instead.", "maintenance_start": "Jun 01, 2023", "eol_start": "Dec 01, 2023" }, { "id": "WildFire - Detonate file", "name": "WildFire - Detonate file", "description": "Deprecated. Use WildFire - Detonate file v2 instead.", "note": "Use WildFire - Detonate file v2 instead.", "maintenance_start": "Dec 01, 2023", "eol_start": "Jun 01, 2024" }, { "id": "Xpanse Incident Handling - Generic", "name": "Xpanse Incident Handling - Generic", "description": "Deprecated. Use Xpanse - Alert Handler playbook instead.\nA generic playbook for handling Xpanse issues.\nThe logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically.\nThe phases of this playbook are:\n 1) Check if assets (IP, Domain or Certificate) associated with the issue are excluded in the exclusions list and optionally, close the incident automatically.\n 2) Optionally, enrich indicators and calculate the severity of the issue, using sub-playbooks.\n 3) Optionally, allow the analyst to add associated assets (IP, Domain or Certificate) to the exclusions list.\n 4) Tag associated assets.\n 5) Update the status of the issue.", "note": "Use Xpanse - Alert Handler playbook instead.", "maintenance_start": "Aug 01, 2024", "eol_start": "Feb 01, 2025" } ] }