End-of-Life (EoL)

Export Indicators Playbooks

There are several generic playbooks and several vendor-specific playbooks you can use to process indicators.
When you run a playbook or playbook task in Quiet Mode the task or playbook information is not written to the War Room, and inputs and outputs are not displayed in the playbook. However, errors and warnings are still written to the War Room. If you define a playbook task input that pulls
from indicators
, the entire playbook runs in Quiet Mode.
You should not run a query on a field that you might change in the playbook flow. For example, you shouldn’t have playbook with query
Score:Bad
and then change the indicator score as a part of the playbook.
Generic playbooks
Each generic playbook is dedicated to processing a single indicator type.
  • Process Domain Indicators
  • Process Files Indicators
  • Process IP Indicators
  • Process URL Indicators
QRadar playbooks
There is a separate QRadar playbook for each indicator type, which adds indicators of that type to QRadar, and a QRadar playbook that adds all indicators to QRadar.
  • QRadar Add Hash Indicators
  • QRadar Add IP Indicators
  • QRadar Add Domain Indicators
  • QRadar Add URL Indicators
  • QRadar Add All Indicator Types
ArcSight playbooks
There is a separate ArcSight playbook for each indicator type, which adds indicators of that type to ArcSight, and an ArcSight playbook that adds all indicators to ArcSight.
  • ArcSight Add Hash Indicators
  • ArcSight Add IP Indicators
  • ArcSight Add Domain Indicators
  • ArcSight Add URL Indicators
  • ArcSight Add All Indicator Types

Recommended For You