There are no common inputs or implementation specific inputs applicable for Run Threat Look Up.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• Virus Total
• Hybrid Analysis
• Security Incident Response Integration with Zscaler
• Phistank
• Metadefender
• Threatcrowd
• Have I Been Pawned?
• Crowd Strike Falcon Intelligence

There are no common inputs or implementation specific inputs applicable for Run Observable Enrichment.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• MISP
• Microsoft Defender Endpoint
• Shodan
• RiskIQ
• WHOIS
• Reverse WHOIS

Sighting search takes date and time frequency as common inputs across multiple implementations of Splunk and other integrations.

This screen will be presented to the Security Analyst to capture date and time frequencies.

For integrations that don’t require these inputs, for example FireEye HX, they will be ignored. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

• Splunk-incident Enrichment
• Carbon Black
• Elastic search
• FireEye HX
• McaFee ESM
• MSFT Defender for endpoint
• Splunk Sighting
• Qradar sighting search
• MISP

Submit to Sandbox takes different inputs for different implementations. There are no common inputs for this capability currently.

For example, when the Analyst selects Crowdstrike Falcon X Quick Scan, Crowdstrike Falcon X Windows 64, Crowdstrike Falcon X Linux, and Zscaler, the inputs vary. Crowdstrike Falcon X Quick scan and Zscaler don’t need further run time inputs. Crowdstrike Falcon X Windows 64 takes optional run time inputs that differs from Crowdstrike Falcon X Linux. So, these can be provided in screen 3 specifically against individual selected implementations as applicable.

• CrowdStrike Falcon X Sandbox Integration
• Security Incident Response Integration with Zscaler

There are no common inputs or implementation specific inputs applicable for Publish to Watchlist.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

There are no common inputs or implementation specific inputs applicable for Allow/Block Request.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• Palo Alto Network NGFW
• Check Point NGFW
• Security Incident Response Integration with Zscaler

There are no common inputs or implementation specific inputs applicable for Get Host Details.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• FireEye HX
• Microsoft Defender for Endpoint

Get File takes file name, path as common inputs. After selecting one or more implementations and providing common inputs, the Security Analyst will be able to submit the action.

There are no common inputs or implementation specific inputs applicable for Get Network Statistics. So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• FireEye HX
• NetStat

There are no common inputs or implementation specific inputs applicable for Get Running Processes.

So, only screen 1 is presented to the Security Analyst to select one or more implementations. After selecting the implementations, the Security Analyst will be able to submit the action.

• FireEye HX
• Carbon Black
• System Command

There are no common inputs or implementation specific inputs applicable for Get Running Services.

So, only screen 1 is presented to the Analyst to select one or more implementations. After selecting the implementations, the Analyst will be able to submit the action.

Isolate Host/Un-isolate Host takes different inputs for different implementations.

There are no common inputs for this capability currently. For example, when the Analyst selects FireEye HX and Microsoft Defender for Endpoint, the inputs vary.

FireEye HX doesn’t need run time inputs. On the other hand Microsoft Defender takes inputs such as Isolation Type and Comments.

So, these can be provided in screen 3 specifically against individual selected implementations as applicable.

• FireEye HX
• Microsoft Defender Endpoint
• Carbon Black

Run Additional Actions Host takes different inputs for different implementations. There are no common inputs for this capability currently.

For example, when the Analyst selects FireEye HX Standard Investigative Details Script, FireEye HX Triage Acquisition and Crowdstrike Falcon Insight reg unload, the inputs vary.

FireEye HX Standard Investigative Details Script and FireEye HX Triage Acquisition take Comments as the input that could be different for both. Crowdstrike Falcon Insight reg unload takes Subkey as the input.

• FireEye HX
• Microsoft Defender for Endpoint
• Crowdstrike Falcon Insight