Generic Playbooks
Generic Playbooks
It takes the email's body and header to extract metadata from the body and URLs from the header.
Checks for changes in the list of users in the access policy. It investigates all the users excluded from the access policy and creates a ticket in Freshdesk ticketing system based on the change.
Checks for the change in the Azure conditional access policy and creates a case item based on the detected change. It can also use API to create a ticket in the ticketing system based on the policy change
Compares the geo location of access device, authentication device, and previous logged-in device.
Investigates a suspicious login attempt and creates a ticket in Freshdesk ticketing system for a suspicious login.
Uses the sub-playbook Duo Fraud Investigation to investigate suspicious attempts to log in through Duo.
Takes specific information from the email's header, analyzes it, and generates a spam score. It returns the score back to the parent playbook.
Analyzes the IP Address using Threat Intelligence Analysis to give a verdict on the IP Address and set its risk score
Uses Malwarebytes API for threat investigation. It scans for potential malware in the endpoint and isolates it to prevent the malware from spreading in the system.
Uses Microsoft Defender for Endpoint API to investigate a threat and returns the investigation details.
Uses Azure Active Directory API to extract user details.
Authenticates to Microsoft's API, receives a token, and uses it to fetch the mail-related information for mail ID.
Investigates an incident triggered by an IP address that is suspected to be a C2 server.
Investigates an incident triggered by an IP address that is suspected to be a C2 server.
Analyzes the URL using ThreatIntel and VirusTotal Analysis to give a verdict to the URL and set its severity.
Use to decide whether to add the user and the activity to a permanent or temporary whitelist, or not.
Detects and investigates unusual behavior and measures the likelihood of the suspicious activity being a threat. It leverages the UEBA Triage sub-playbook to aggregate and assess data including incident ID, alert, threat type and category. It then creates response tasks and compiles the result into a report sent to your security team.
Investigates reported phishing emails by leveraging a User-Reported Phishing Investigation sub-playbook. When a user reports an email as suspected phishing, the playbook creates response tasks and compiles the results into a report sent to your security team.
Analyzes the probability of a suspected phishing attempt from a sender domain. If the email is likely phishing, this playbook investigates it. If not, the playbook stops.
Detects and investigates unusual behavior and measures the likelihood of the suspicious activity being a threat. It leverages the UEBA Triage sub-playbook to aggregate and assess data including incident ID, alert, threat type and category. It then creates response tasks and compiles the result into a report sent to your security team.
Last updated
Was this helpful?