Skip to main content
Intermediate
72 articles
Enable AWS S3 Bucket Versioning on Orca Alert - Workflow TemplateReceive an Orca alert on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Offboarding Remediation with Adaptive Shield - Workflow TemplateTriggered from a Slack mention to leverage Adaptive Shield's insight into SaaS applications to remediate offboarded user's access
Just-in-time access to Group Membership in PingOne - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to resources based on group membership via PingOne with approval.
Remediate Wiz Alert on Azure VM with Open SSH Access - Teams - Workflow TemplateWhenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Compliance - Provide temporary Device Admin to Mac users (JAMF) - Workflow TemplateReceive a request over Slack for temporary assignment of admin permissions. Get approval from Security channel, update policy on Jamf.
Enable AWS S3 Bucket Encryption on Alert from Wiz - Workflow TemplateReceive a Wiz issue on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AWS256 encryption.
Enable AWS S3 Bucket Versioning on Alert from Wiz - Workflow TemplateReceive an alert from Wiz on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Handle Suspicious AWS Console Logins (AWS SNS) - Workflow TemplateCheck source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.
Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.
Update Jira Status/User on Device with CVE Tag (Armis) - Workflow TemplateQuery Armis for devices with a specific tag where a vulnerability was found in a previous workflow and update Jira and user on the status.
Disable a Specific User in Google Cloud Identity - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Google Cloud Identity when an account is compromised.
Handle AWS Security Group with Open SSH Access on Orca Alert - Workflow TemplateWhenever an Orca alert is raised on an AWS security group with an open access (from the internet) to SSH, orchestrate remediation.
Enable AWS S3 Bucket Encryption on Alert (PrismaCloud) - Workflow TemplateReceive PrismaCloud alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Analyze Files in Netskope Sandbox with Cache - Workflow TemplateSubmit a file using a Webform to Netskope Sandbox for malware analysis.
Handle AWS S3 Bucket Allows HTTP Requests on Wiz Alert - Workflow TemplateReceive an issue from Wiz on an AWS S3 bucket no being compliant, apply a default AWS S3 bucket policy to remediate.
Add Phishing Domain to CloudFlare ZeroTrust (IntSights) - Workflow TemplatePoll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be added to the CloudFlare Zero Trust List
Remediate AWS VPC Created without Flow Logs with Orca - Workflow TemplateReceive an alert on an AWS VPC created without Flow Logs. Reach out to the owner, suggest remediation and define Flow Logs in AWS.
Remediate AWS EC2 Instance with Open SSH Access from Wiz Alert - Workflow TemplateWhenever an alert is raised on an AWS EC2 Instance having an open access (from the internet) for SSH, orchestrate remediation.
Block Domain Finding on PerceptionPoint (IntSights) - Workflow TemplatePoll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be blocked in PerceptionPoint's blocklist
Open a TheHive case triggered by SentinelOne findings - Workflow TemplateRetrieve latest threats from SentinelOne and enrich using third party vendors, open a case at TheHIVE with observables, tasks and TTPs.
Request Justification of Integration from Astrix Finding - Workflow TemplateAdd business context to new Astrix high-risk integrations by asking the owner to elaborate on the purpose of the integration by email.
Detected RDP session from Server to External IP (Armis) - Workflow TemplateReceive an event from Armis on a Network Policy Violation, lookup source/destination/user information and open Jira ticket and alert user.
Add/Del (IPs/Ranges/Subnets) from Okta BlockedIpZone (Okta) - Workflow TemplateReceive Slack command to add/del ip/range/subnet from the Okta BlockedIPZone, verify IP's and get approval from admin to update.
Hunt for specific CVE and Attempt Remediation (Armis) - Workflow TemplateQuery Armis for specific CVE to look for threat, query information from Armis and Jamf, place device into Jamf patch group and notify user.
Just-in-time access to Group Membership in AzureAD by TEAMS - Workflow TemplateTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Just in Time AWS Access with Slack Approval Flow (Britive) - Workflow TemplateRequest temporary access to AWS via Britive using Slack. Approval via a Slack channel and up to 8 hours of access with reminders every hour
Advanced Upload of the Latest Recorded Future IOCs to Cybereason - Workflow TemplatePull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Request User Account Unlock in JumpCloud - Workflow TemplateRequest an unlock of the users account in JumpCloud by sending a Slack Slash command and verifying the user and lock status.
Jira Enrichment for Hashes Found in Issue Description - Workflow TemplateEnrich hashes found in Jira issue description when a new comment is added to the issue with a specific keyword. Triggered by Jira automation
Add and Remove URLs from the Global Blacklist (Zscaler) - Workflow TemplateTriggers from Slack message for check url or remove url for the Global Blacklist for Zscaler. On a check url, the URL category is provided.
Isolate an AWS EC2 Instance by using tags (AWS) - Workflow TemplateWhen applying a specific Key:Value tag on an EC2 instance, apply a isolation security group and remove IAM Instance Role and apply new role
Enable Encryption on AWS S3 Bucket on Alert from Orca - Workflow TemplateReceive an Orca alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Request Just-in-Time Access to SSO Applications in JumpCloud - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via JumpCloud with approval.
Handle Orca Alert for IAM Role with Admin Permissions - Workflow TemplateReceive an Orca alert on excessive policies / permissions attached to an IAM Role. Update owner or channel via Slack.
Request AWS Credentials Based on Jira Assignment (Britive) - Workflow TemplateReceive a mention via Slack for Jira-Access with a Jira issue key. Provide access to the AWS account ID listed in the Jira issue via Slack.
Notify Project Owners of 5 or more Critical Issues in Snyk - Workflow TemplatePoll the projects for an organization in Snyk and create Jira issues when a project is found to have 5 or more critical issues.
Handle IAC Configuration Issues in Snyk and Notify Owner - Workflow TemplateGet latest configuration issues from projects in an organization, open a Jira issue if one does not exist and notify the project owner.
Enable AWS S3 Bucket Versioning on Lacework Alert - Workflow TemplateOn an alert received from Lacework for S3 bucket versioning, pull the event, ask Slack user or channel to enable versioning.
Handle High Level CNC Threat Detected on Network (Armis) - Workflow TemplateReceive alert from Armis on a CNC DNS query, pull details about the device, open Jira issue, and alert the channel or user via Slack/Email
Remediate Wiz Alert on Azure VM with Open SSH Access - Slack - Workflow TemplateWhenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Remediate Alerts from Rules to External Address Adaptive Shield - Workflow TemplateRemediate Adaptive Shield alerts generated from Outlook inboxes with email rules that forward email to external addresses using Slack
Okta Exposed Passwords in Failed Login Attempts - Workflow TemplateUncover possible exfiltrated credentials in Okta when a user accidentally inputs a password in the email field and is stored as clear text.
Disable and Contain a Specific Compromised User in Okta - Workflow TemplateWorkflow and nested workflow that can be used to disable a specific user in Okta when an account is found to be compromised.
Handle AWS S3 Bucket Should Enforce HTTPS Alert from Orca - Workflow TemplateReceive an Orca alert on an AWS S3 Bucket not being compliant, apply a default S3 bucket policy to remediate.
Create Exclusions on Multiple SentinelOne Sites - Workflow TemplateCreates Exclusions for a list of path, browser or filetype Items. Exclusions can be created in one site or in multiple sites.
Notify on Google Drive Files Containing PII Identified by BigID - Workflow TemplateOn a trigger from BigID on findings of files in Google Drive that contain PII, notify the file owner via Slack and open Jira issues.
Delete an IAM User Account - Workflow TemplateThis workflow automates the procedure to delete or detach items from an user before deleting an IAM User Account.
Detect impossible travels in Okta logins. - Workflow TemplateAnalyzes users' successful logins from different locations within a short timeframe to detect possible Impossible Travel escenarios.
Microsoft Teams Driven User Account Management Action Menu - Workflow TemplateDisplays a menu for User Management related activities such as Reset Password, Enable/Disable a User or Get User Information.
Whitelist SHA1 Hashes on Multiple SentinelOne Sites - Workflow TemplateWhitelist a list of Hashes in one or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Handle Wiz Alert for Public Azure Container with Sensitive Data - Workflow TemplateOn trigger from Wiz alert for an Azure Container containing sensitive data, ask a Slack channel or container owner to limit public access
Blacklist SHA1 Hashes on Multiple SentinelOne Sites - Workflow TemplateBlacklists a list of Hashes in one site or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Just-in-time access to Group Membership in AzureAD - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Handle Wiz Alert for Public AWS S3 Bucket with Sensitive Data - Workflow TemplateOn trigger from Wiz finding for a AWS S3 bucket containing sensitive data, ask a Slack channel or bucket owner to limit public access.
Just-in-Time (JIT) access to Okta SSO Applications by Slack - Workflow TemplateSlack mention of "JIT-Access" allowing users to ask for a temporary access to applications via Okta SSO, with an approval flow via Slack
Handle Gem Alert for NSG With Ingress From Any (0.0.0.0/0) - Workflow TemplateWorkflow triggers when a rule with open access to the internet is created for a security group.
Enrich SentinelOne Incident with Threat Intelligence from Intezer - Workflow TemplateTrigger from a Singularity Webhook on a new threat and provide threat enrichment from Intezer with optional Live Agent Endpoint Scan
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow TemplateReceive a file signature from Slack and hunt for the signature in Singularity XDR, notify owners of the endpoint, kick off scan of devices.
Analyze URLs and Files in Triage Sandbox - Workflow TemplateThis workflow submit URLs to Hatching Triage Sandbox for analysis.
Create Att&ck Layer from TTP List - Workflow TemplateReceives a list of TTPs and returns an Att&ck layer in JSON and SVG formats.
Download a File from a SentinelOne Endpoint - Workflow TemplateDownloads a file from a Sentinel One agent given an AgentID a file path and a password. File does not need to be part of an Incident.
Analyze URLs and Files in Recorded Future Sandbox - Workflow TemplateThis workflow submit URLs to Recorded Future Sandbox for analysis.
Just-in-time (JIT) access to Okta Groups via Slack - Workflow TemplateSlack mention of JIT-Group allowing users to ask for a temporary access to Okta groups with approval flow via a Slack channel
Handle Gem Alert for EC2 Instance "Write" Actions on IAM Entities - Workflow TemplateCreates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.
Handle Gem Alert for Root Usage - Workflow TemplateReceives an alert for a recent usage of Root credentials and validates it with the user trough Slack
Just-in-time access to Group Membership in Entra ID by TEAMS - Workflow TemplateTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Just-in-time access to Group Membership in Entra ID (ex-Azure AD) - Workflow TemplateTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Notify when a Thinkst Canary Token is triggered. - Workflow TemplateTriggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.
Create Cases from Crowdstrike Detections found in Splunk - Workflow TemplateQuery Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow TemplateSearch on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow TemplateOn a schedule query Google Chronicle for new SentinelOne threats and open a Torq case with the relevant agent and threat details
Query for user MFA fraud reports on Entra ID - Workflow TemplateOn schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.