Intermediate
88 articles
Workflow Template: Enable AWS S3 Bucket Versioning on Orca AlertReceive an Orca alert on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Workflow Template: Offboarding Remediation with Adaptive ShieldTriggered from a Slack mention to leverage Adaptive Shield's insight into SaaS applications to remediate offboarded user's access
Workflow Template: Just-in-time access to Group Membership in PingOneTrigger on a Slack command where a user asks for temporary access to resources based on group membership via PingOne with approval.
Workflow Template: Remediate Wiz Alert on Azure VM with Open SSH Access (Teams)Whenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Workflow Template: Compliance - Provide temporary Device Admin to Mac users (JAMF)Receive a request over Slack for temporary assignment of admin permissions. Get approval from Security channel, update policy on Jamf.
Workflow Template: Enable AWS S3 Bucket Encryption on Alert from WizReceive a Wiz issue on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AWS256 encryption.
Workflow Template: Enable AWS S3 Bucket Versioning on Alert from WizReceive an alert from Wiz on an AWS S3 bucket with versioning disabled, lookup owner tag, ask owner or channel to enable versioning.
Workflow Template: Handle Suspicious AWS Console Logins (AWS SNS)Check source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.
Workflow Template: Disable and Contain a Specific User in Entra ID (ex-Azure AD)Workflow and nested workflow that can be used to disable a specific user in Entra ID when an account is compromised.
Workflow Template: Update Jira Status/User on Device with CVE Tag (Armis)Query Armis for devices with a specific tag where a vulnerability was found in a previous workflow and update Jira and user on the status.
Workflow Template: Disable a Specific User in Google Cloud IdentityWorkflow and nested workflow that can be used to disable a specific user in Google Cloud Identity when an account is compromised.
Workflow Template: Handle AWS Security Group with Open SSH Access on Orca AlertWhenever an Orca alert is raised on an AWS security group with an open access (from the internet) to SSH, orchestrate remediation.
Workflow Template: Enable AWS S3 Bucket Encryption on Alert (PrismaCloud)Receive PrismaCloud alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Workflow Template: Analyze Files in Netskope Sandbox with CacheSubmit a file using a Webform to Netskope Sandbox for malware analysis.
Workflow Template: Handle AWS S3 Bucket Allows HTTP Requests on Wiz AlertReceive an issue from Wiz on an AWS S3 bucket no being compliant, apply a default AWS S3 bucket policy to remediate.
Workflow Template: Add Phishing Domain to CloudFlare ZeroTrust (IntSights)Poll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be added to the CloudFlare Zero Trust List
Workflow Template: Remediate AWS VPC Created without Flow Logs with OrcaReceive an alert on an AWS VPC created without Flow Logs. Reach out to the owner, suggest remediation and define Flow Logs in AWS.
Workflow Template: Remediate AWS EC2 Instance with Open SSH Access from Wiz AlertWhenever an alert is raised on an AWS EC2 Instance having an open access (from the internet) for SSH, orchestrate remediation.
Workflow Template: Block Domain Finding on PerceptionPoint (IntSights)Poll alerts in IntSights for High level Phishing issues. Ask a Slack channel if the domain should be blocked in PerceptionPoint's blocklist
Workflow Template: Open a TheHive case triggered by SentinelOne findingsRetrieve latest threats from SentinelOne and enrich using third party vendors, open a case at TheHIVE with observables, tasks and TTPs.
Workflow Template: Request Justification of Integration from Astrix FindingAdd business context to new Astrix high-risk integrations by asking the owner to elaborate on the purpose of the integration by email.
Workflow Template: Detected RDP session from Server to External IP (Armis)Receive an event from Armis on a Network Policy Violation, lookup source/destination/user information and open Jira ticket and alert user.
Workflow Template: Add/Del (IPs/Ranges/Subnets) from Okta BlockedIpZone (Okta)Receive Slack command to add/del ip/range/subnet from the Okta BlockedIPZone, verify IP's and get approval from admin to update.
Workflow Template: Hunt for specific CVE and Attempt Remediation (Armis)Query Armis for specific CVE to look for threat, query information from Armis and Jamf, place device into Jamf patch group and notify user.
Workflow Template: Just-in-time access to Group Membership in AzureAD by TEAMSTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Workflow Template: Just in Time AWS Access with Slack Approval Flow (Britive)Request temporary access to AWS via Britive using Slack. Approval via a Slack channel and up to 8 hours of access with reminders every hour
Workflow Template: Advanced Upload of the Latest Recorded Future IOCs to CybereasonPull latest Hashes, IPs and Domains above a specific risk score from Recorded Future and add to the Cybereason reputation list.
Workflow Template: Request User Account Unlock in JumpCloudRequest an unlock of the users account in JumpCloud by sending a Slack Slash command and verifying the user and lock status.
Workflow Template: Jira Enrichment for Hashes Found in Issue DescriptionEnrich hashes found in Jira issue description when a new comment is added to the issue with a specific keyword. Triggered by Jira automation
Workflow Template: Add and Remove URLs from the Global Blacklist (Zscaler)Triggers from Slack message for check url or remove url for the Global Blacklist for Zscaler. On a check url, the URL category is provided.
Workflow Template: Isolate an AWS EC2 Instance by using tagsWhen applying a specific Key:Value tag on an EC2 instance, apply a isolation security group and remove IAM Instance Role and apply new role
Workflow Template: Enable Encryption on AWS S3 Bucket on Alert from OrcaReceive an Orca alert on an AWS S3 bucket with encryption disabled, lookup owner tag, ask owner or channel to enable AES256 encryption.
Workflow Template: Request Just-in-Time Access to SSO Applications in JumpCloudTrigger on a Slack command where a user asks for temporary access to applications based on group membership via JumpCloud with approval.
Workflow Template: Handle Orca Alert for IAM Role with Admin PermissionsReceive an Orca alert on excessive policies / permissions attached to an IAM Role. Update owner or channel via Slack.
Workflow Template: Request AWS Credentials Based on Jira Assignment (Britive)Receive a mention via Slack for Jira-Access with a Jira issue key. Provide access to the AWS account ID listed in the Jira issue via Slack.
Workflow Template: Notify Project Owners of 5 or more Critical Issues in SnykPoll the projects for an organization in Snyk and create Jira issues when a project is found to have 5 or more critical issues.
Workflow Template: Handle IAC Configuration Issues in Snyk and Notify OwnerGet latest configuration issues from projects in an organization, open a Jira issue if one does not exist and notify the project owner.
Workflow Template: Enable AWS S3 Bucket Versioning on Lacework AlertOn an alert received from Lacework for S3 bucket versioning, pull the event, ask Slack user or channel to enable versioning.
Workflow Template: Handle High Level CNC Threat Detected on Network (Armis)Receive alert from Armis on a CNC DNS query, pull details about the device, open Jira issue, and alert the channel or user via Slack/Email
Workflow Template: Remediate Wiz Alert on Azure VM with Open SSH Access (Slack)Whenever an alert is raised on an Azure VM having an open access (from the internet) to SSH on port 22, orchestrate remediation.
Workflow Template: Remediate Alerts from Rules to External Address Adaptive ShieldRemediate Adaptive Shield alerts generated from Outlook inboxes with email rules that forward email to external addresses using Slack
Workflow Template: Okta Exposed Passwords in Failed Login AttemptsUncover possible exfiltrated credentials in Okta when a user accidentally inputs a password in the email field and is stored as clear text.
Workflow Template: Disable and Contain a Specific Compromised User in OktaWorkflow and nested workflow that can be used to disable a specific user in Okta when an account is found to be compromised.
Workflow Template: Handle AWS S3 Bucket Should Enforce HTTPS Alert from OrcaReceive an Orca alert on an AWS S3 Bucket not being compliant, apply a default S3 bucket policy to remediate.
Workflow Template: Create Exclusions on Multiple SentinelOne SitesCreates Exclusions for a list of path, browser or filetype Items. Exclusions can be created in one site or in multiple sites.
Workflow Template: Notify on Google Drive Files Containing PII Identified by BigIDOn a trigger from BigID on findings of files in Google Drive that contain PII, notify the file owner via Slack and open Jira issues.
Workflow Template: Delete an IAM User AccountThis workflow automates the procedure to delete or detach items from an user before deleting an IAM User Account.
Workflow Template: Detect impossible travels in Okta loginsAnalyzes users' successful logins from different locations within a short timeframe to detect possible Impossible Travel escenarios.
Workflow Template: Microsoft Teams Driven User Account Management Action MenuDisplays a menu for User Management related activities such as Reset Password, Enable/Disable a User or Get User Information.
Workflow Template: Whitelist SHA1 Hashes on Multiple SentinelOne SitesWhitelist a list of Hashes in one or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Workflow Template: Handle Wiz Alert for Public Azure Container with Sensitive DataOn trigger from Wiz alert for an Azure Container containing sensitive data, ask a Slack channel or container owner to limit public access
Workflow Template: Blacklist SHA1 Hashes on Multiple SentinelOne SitesBlacklists a list of Hashes in one site or multiple sites, if no Site list is provided, Hashes are added to all active sites.
Workflow Template: Just-in-time access to Group Membership in AzureADTrigger on a Slack command where a user asks for temporary access to applications based on group membership via Azure AD with approval.
Workflow Template: Handle Wiz Alert for Public AWS S3 Bucket with Sensitive DataOn trigger from Wiz finding for a AWS S3 bucket containing sensitive data, ask a Slack channel or bucket owner to limit public access.
Workflow Template: Just-in-Time (JIT) access to Okta SSO Applications by SlackSlack mention of "JIT-Access" allowing users to ask for a temporary access to applications via Okta SSO, with an approval flow via Slack
Workflow Template: Handle Gem Alert for NSG With Ingress From Any (0.0.0.0/0)Workflow triggers when a rule with open access to the internet is created for a security group.
Workflow Template: Enrich SentinelOne Incident with Threat Intelligence from IntezerTrigger from a Singularity Webhook on a new threat and provide threat enrichment from Intezer with optional Live Agent Endpoint Scan
Workflow Template: Threat Hunt for a Specified SHA1 Signature in SingularityXDRReceive a file signature from Slack and hunt for the signature in Singularity XDR, notify owners of the endpoint, kick off scan of devices.
Workflow Template: Analyze URLs and Files in Triage SandboxThis workflow submit URLs to Hatching Triage Sandbox for analysis.
Workflow Template: Create Att&ck Layer from TTP ListReceives a list of TTPs and returns an Att&ck layer in JSON and SVG formats.
Workflow Template: Download a File from a SentinelOne EndpointDownloads a file from a Sentinel One agent given an AgentID a file path and a password. File does not need to be part of an Incident.
Workflow Template: Analyze URLs and Files in Recorded Future SandboxThis workflow submit URLs to Recorded Future Sandbox for analysis.
Workflow Template: Just-in-time (JIT) access to Okta Groups via SlackSlack mention of JIT-Group allowing users to ask for a temporary access to Okta groups with approval flow via a Slack channel
Workflow Template: Handle Gem Alert for EC2 Instance "Write" Actions on IAM EntitiesCreates an snapshot of each EC2 volume when a EC2InstanceWriteActionsOnIAM alert from Gem Security is triggered.
Workflow Template: Handle Gem Alert for Root UsageReceives an alert for a recent usage of Root credentials and validates it with the user trough Slack
Workflow Template: Just-in-time access to Group Membership in Entra ID by TEAMSTriggers on a Teams command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Workflow Template: Just-in-time access to Group Membership in Entra ID (ex-Azure AD)Trigger on a Slack command where a user asks for temporary access to applications based on group membership via Entra ID with approval.
Workflow Template: Notify when a Thinkst Canary Token is triggeredTriggers upon a Thinkst Canary token activation, sends a Slack notification, and opens a case with relevant data, including a static map.
Workflow Template: Create Cases from Crowdstrike Detections found in SplunkQuery Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.
Workflow Template: Create Cases from SentinelOne Events found in Azure SentinelSearch on a schedule for SentinelOnes detections in Azure Sentinel and open a Torq case for each alert and threat.
Workflow Template: Create Torq Cases from SentinelOne Threats Reported in ChronicleOn a schedule query Google Chronicle for new SentinelOne threats and open a Torq case with the relevant agent and threat details
Workflow Template: Query for user MFA fraud reports on Entra IDOn schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.
Workflow Template: Initial Microsoft Defender for Endpoint Case CreationFetch Alert Details by supplying an alert id and create a case using a Field Mapper
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for CasesAutomatically pull new Microsoft Defender for Endpoint alerts on a schedule, then create cases with a field mapper.
Workflow Template: Use AI to Create Torq Case from Anvilogic AlertsUse Anvilogic Copilot, to analyze Anvilogic alerts and create cases in Torq.
Workflow Template: AI Event Triage with Anvilogic CopilotUse Anvilogic Copilot, to analyze a Threat Identifier’s Event of Interest (EOI).
Workflow Template: Initial Intezer Case CreationTakes a RAW JSON Alert as an input to create an Intezer case using a Field Mapper
Workflow Template: Create Intezer Case from Trigger AlertReceives alerts from Intezer Trigger and creates a case via a field mapper. It adds Quick Actions notes and an Initial Runbook.
Workflow Template: Poll Microsoft Outlook on a Schedule for New Messages for CasesAutomatically pull new messages from Outlook on a schedule, extract its components, enrich observables and create cases with a field mapper.
Workflow Template: Poll for new SentinelOne Threats and Open a Torq CaseAutomatically pull new SentinelOne alerts on a schedule, then creates cases with a field mapper.
Workflow Template: Poll for new CrowdStrike Alerts and Open a Torq CaseAutomatically pull new Crowdstrike alerts on a schedule, then deduplicate alerts and create cases with a field mapper.
Workflow Template: Initial CrowdStrike Case CreationReceives an alert event from CrowdStrike and creates a case with Torq using the field mapping nested workflow.
Workflow Template: Initial SentinelOne Case CreationReceives an alert event from SentinelOne and creates a case with Torq using the field mapping nested workflow.
Workflow Template: Create Case from Microsoft Sentinel IncidentReceives alerts from Microsoft Sentinel Trigger and creates a case via a field mapper.
Workflow Template: QuickAction - Fetch a File from Device on MS Defender EndpointFetches a file from a device on MS Defender Endpoint when a quick action button is pressed.
Workflow Template: Create a PDF Report for a Torq CaseCreates a PDF Summary Report for a Torq Case.
Workflow Template: QuickAction - Run a command on a device with MS Defender EndpointExecute commands on a remote endpoint using LiveResponse.
Workflow Template: Analyze Attachment Files in Sandbox (QuickAction)Send multiple Password-Protected Attachments to multiple Sandbox Engines to be analyzed.