Skip to main content

Add Playbooks in Cortex XSOAR

Updated: 

Nebula has pre-built Playbooks for you to add to your Palo Alto Networks Cortex™ XSOAR console. Add these Playbooks to your console and use them as a template to create a custom Playbook.

This article details each of the Playbooks, and the incident and endpoint parameters available to you.

Add Nebula Playbooks

  1. Log into your Cortex XSOAR console.
  2. From the navigation pane, click Playbooks.
  3. In the search bar, search for Malwarebytes.
  4. Select one of the following Playbooks:
    • Malwarebytes - Isolate Endpoints: This Playbook automates the network, process, and desktop isolation of Nebula endpoints. When you run this playbook on an incident, the playbook first checks if Nebula integration is enabled, then checks and validates the endpoint info. Then the playbook isolates the endpoint based on network, process, and desktop. Each of these three isolation types are verified, and the playbook will run again if any of them fail verification. Note: An active Endpoint Detection and Response subscription is required to run this playbook.
    • Malwarebytes - Scan & Remediate Endpoints: This Playbook automates the scan and remediation of Nebula endpoints. When you run this playbook on an incident, the playbook checks the endpoint data such as IP address and hostname, begins a scan, and checks the job status before reporting detection results to Cortex XSOAR.

The following two sections show you where to find local Nebula parameters, and where you can find global parameters you can use for other integrations.

Find incident parameters

  1. In a new tab, log into Cortex XSOAR.
  2. In the navigation pane, click Incidents.
  3. Click the ID of a Nebula incident to expand the incident details.
  4. At the top-right, click the vertical ellipses drop down menu.
    2020-05-05_14-19-15.png
  5. From the drop down, select Context Data. This slides out the Context Data window.
  6. In the Context Data menu, click incident to expand the details of this incident.
  7. Scroll down and click labels to find Nebula parameter values you can use for your Nebula Playbooks.

Find endpoint parameters

Nebula provides endpoint device data which you can use for other integrations. To find this information:

  1.  In the navigation pane, click Incidents.
  2. Click the ID of a Nebula incident to expand the incident details.
  3. At the top-right, click the vertical ellipses drop down menu.
  4. From the drop down, select Context Data. This slides out the Context Data window.
  5. In the Context Data window, click Endpoint to expand device data for the endpoint.

 

Return to the table of contents.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more