Playbook Library

Security automation playbooks, ready to deploy

Browse 17+ pre-built playbooks connecting your SIEM, EDR, threat intel, and ticketing tools. Every playbook is a real, shippable workflow, not a stub.

Category

Integration

17 playbooks

Incident Response4 actions

Splunk Incident to ServiceNow Ticket + Slack Alert

Automatically open a ServiceNow ticket and notify your security channel whenever a Splunk incident fires.

SplunkServiceNowSlack

Email Security8 actions

Outlook Phishing Detection with VirusTotal

Scan every inbound Outlook email for malicious URLs and attachments, delete threats, and notify Slack.

Microsoft OutlookVirusTotalSlack

Email Security8 actions

Gmail Phishing Detection with VirusTotal

Scan incoming Gmail messages for malicious links and attachments, delete threats, and alert security.

GmailVirusTotalSlack

Endpoint Response4 actions

CrowdStrike Host Isolation with ServiceNow & Slack

Isolate or restore a compromised host in CrowdStrike, notify the device owner, and track it in ServiceNow.

CrowdStrike FalconServiceNowSlack

Compliance Monitoring5 actions

CrowdStrike + Okta EDR Compliance Validation

Daily check that every Okta-enrolled employee has a CrowdStrike agent running on their device.

OktaCrowdStrike FalconSlack

Compliance Monitoring5 actions

CrowdStrike + Google Workspace EDR Compliance

Validate CrowdStrike Falcon is installed on every Google Workspace user's device, reported daily.

Google WorkspaceCrowdStrike FalconSlack

Compliance Monitoring6 actions

CrowdStrike + Jamf Mac Fleet EDR Validation

Verify every Jamf-enrolled Mac has a working CrowdStrike Falcon sensor, daily.

JamfCrowdStrike FalconSlack

Threat Hunting3 actions

CrowdStrike IOC Hunt Across Fleet

Search your entire CrowdStrike fleet for a specific Indicator of Compromise and report matches to Slack.

CrowdStrike FalconSlack

Endpoint Hygiene6 actions

CrowdStrike Stale Sensor Cleanup

Find and remove CrowdStrike Falcon sensors inactive for over 12 hours, with Slack approval.

CrowdStrike FalconSlack

Compliance Monitoring4 actions

SentinelOne + Okta EDR Compliance Validation

Daily check that every Okta user has a SentinelOne agent running on their device.

OktaSentinelOneSlack

Compliance Monitoring4 actions

SentinelOne + Google Workspace Compliance

Ensure every Google Workspace user has a SentinelOne agent deployed, checked daily.

Google WorkspaceSentinelOneSlack

Threat Intelligence2 actions

Universal IOC Lookup in VirusTotal

Check any hash, URL, domain, or IP against VirusTotal and return a clean verdict for analysts.

Threat Hunting2 actions

Suspicious File Detonation in Hybrid Analysis

Submit a suspicious file to Hybrid Analysis for sandbox detonation and return the scan job ID.

Hybrid Analysis

Cloud Security5 actions

Wiz Cloud Vulnerability Triage

When Wiz detects a high-severity cloud vulnerability, notify Slack and prompt for a ServiceNow ticket.

WizSlackServiceNow

Incident Response3 actions

Datadog Incident to Jira Ticket

Automatically create a Jira ticket and notify Slack whenever Datadog Incident Management fires.

DatadogJiraSlack

Email Security36 actions

Multi-Source Phishing Email Analysis

Analyze phishing emails with EmailRep, URLScan, and VirusTotal to produce a comprehensive threat report.

EmailRepURLScan.ioVirusTotal

Email Security59 actions

Suspicious Email Triage with EDR Correlation

Multi-tool email triage that cross-references threat intel with CrowdStrike endpoint detections.

CrowdStrike FalconEmailRepJiraURLScan.ioVirusTotal

Don't see the playbook you need?

Deployer Workflows lets you build any playbook visually without code. Connect any SIEM, EDR, or threat intel source in minutes.

Schedule a Demo