Category: Playbooks rss

Posts

07 December / Floyd Hightower / Playbooks


10 October / Floyd Hightower / Playbooks

Store attributes for the unstructured indicator importer in the datastore.

18 September / joereese / Playbooks

Create an RSA Archer record from an incident in ThreatConnect

18 September / joereese / Playbooks

Download and parse an RSA Archer record into a ThreatConnect incident.

04 September / joereese / Playbooks

Parse a STIX XML file from the File Post spaces app.

28 June / billdauterive / Playbooks

These playbooks will allow you to define a set of keywords in a JSON Array to parse a document for. Upon ingestion of a document the playbook will parse the documents in the specified owners for the given keywords. Should a match be found the group name as well as the identified keywords will be added as tags on the triggering document.

20 June / Malware Utkonos / Playbooks

Reports a false positive, turns off all monitors, resets all ratings, waits 25 hours for CAL to pick up the change, and finally deletes the indicator and republishes all groups associated with the indicator.

19 June / Malware Utkonos / Playbooks

This playbook receives a webhook from a feed collector and then resets the dead hand entry in the datastore. This prevents the dead hand timer from sending a fault notification. This playbook also checks for indicator and group counts and sends an appropriate notification if groups or indicators are not collected.

19 June / Malware Utkonos / Playbooks

This playbook checks the status of a feed and sends a notification if there is a fault in the feed status.

15 June / Floyd Hightower / Playbooks

Playbook which creates a task on a given interval. This is a good starting point for automating the creation of recurring tasks in ThreatConnect.

08 June / citadelintellgenceresearch / Playbooks

This playbook is designed to verify when a new IOC (Address, URL, Host, File, or Email Address) comes in, whether it already exists in the platform in a different owner.

06 June / Floyd Hightower / Playbooks

Given an array, this playbook sends each item in the array one at a time to another playbook. This allows you to run a playbook on each item of an array.

06 June / Malware Utkonos / Playbooks

Generate a Bro Intelligence Framework signature from an indicator.

14 May / Floyd Hightower / Playbooks

Periodically capture the content of a website and send an alert if the content changes.

30 April / Floyd Hightower / Playbooks

This playbook attempts an action until it is successful. In this sense, it is a bit like a 'pause' or 'wait' command that will wait until the given action is successful before moving on.

16 April / Floyd Hightower / Playbooks

Request a PDF from a given URL and return the text from the PDF.

16 April / Floyd Hightower / Playbooks

Request the content of the given website and return the text of the website's content.

21 March / citadelintelligenceresearch / Playbooks

This playbook presents a User Action trigger that when pressed, will query Shodan's API for a given indicator then pull back enrichments and store them as an attribute on said indicator.

18 March / Malware Utkonos / Playbooks

The purpose of this playbook is to check to see if a newly created host or address indicator belongs to the user's organization.

16 March / brikardtc / Playbooks

This Playbook will create a mailbox to ingest emails. When an email is sent to this mailbox, it will save the attachment and associate it to the email item that was created. It will additionally extract indicators as save them as associations to the email as well.

16 March / brikardtc / Playbooks

These 2 Playbooks will query the Recorded Future API for any alerts for the specified timed period from the "Timer" in the RF Alerts Query Playbook. The secondary Playbook (RF Incident Create) will then create incidents from the Recorded Future API.

09 March / Floyd Hightower / Playbooks

This playbook redirects you to a browse screen view of all URL Indicators with the same URL path and query strings. It is triggered with a user action.

08 March / Floyd Hightower / Playbooks

Add an attribute and/or tag to all indicators associated with a given group.

08 March / Floyd Hightower / Playbooks

Read a Google Alerts RSS feed and create indicators from the links. This playbook pulls the content from an RSS feed of Google alerts, finds the URLs from the alerts, and creates those URLs as indicators in ThreatConnect.

07 March / Floyd Hightower / Playbooks

These playbooks allow users to turn the DNS on or off for all indicators associated with a group.

07 March / Floyd Hightower / Playbooks

Turn on or off the DNS for all indicators associated with a group.

05 March / Floyd Hightower / Playbooks

This playbook lets you query Cymon for an IP Address or Host.

05 March / Floyd Hightower / Playbooks

Create and copy the link to a Group in two clicks.

05 March / Floyd Hightower / Playbooks

Create and copy the link to an Indicator in two clicks.

05 March / Floyd Hightower / Playbooks

26 February / joereese / Playbooks

This Playbook template lets users detonate a file in Palo Alto Wildfire from ThreatConnect.