https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-construction/m-p/483733#M770 <P>I would like to ask the community if perhaps someone has created a playbook that takes in Snort/Suricata alert data. I am looking a creating a automated block process that will compare an IDS alert with a Threat notification from the PAN. If the src_ip, src_port, dst_ip, dst_port and timestamp match and the firewall took no action on the threat. Then I will add the external src_ip to the Indicators database, make Verdict "suspicious", set Expiration Date to 30 days, add both the IDS and Threat log data to "Comments" to show reason for block, tag the new entry as "block_external_ips", "ids" and "pan threat". So that it gets added to the EDL that will be picked up by the Firewall. It would be helpful if someone had an IDS related playbook that they would be willing to share to start this process.&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Fri, 29 Apr 2022 00:13:26 GMT jpadro 2022-04-29T00:13:26Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-construction/m-p/483733#M770 <P>I would like to ask the community if perhaps someone has created a playbook that takes in Snort/Suricata alert data. I am looking a creating a automated block process that will compare an IDS alert with a Threat notification from the PAN. If the src_ip, src_port, dst_ip, dst_port and timestamp match and the firewall took no action on the threat. Then I will add the external src_ip to the Indicators database, make Verdict "suspicious", set Expiration Date to 30 days, add both the IDS and Threat log data to "Comments" to show reason for block, tag the new entry as "block_external_ips", "ids" and "pan threat". So that it gets added to the EDL that will be picked up by the Firewall. It would be helpful if someone had an IDS related playbook that they would be willing to share to start this process.&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Fri, 29 Apr 2022 00:13:26 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-construction/m-p/483733#M770 jpadro 2022-04-29T00:13:26Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-construction/m-p/495416#M926 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3134">@jpadro</a>, this seems like something that you could also raise as a feature request in our Aha portal, to have such a playbook (or more likely something a bit more generic).</P><P>Our R&amp;D team is always happy to receive suggestions for playbooks and other content items.</P><P>The portal is&nbsp;<SPAN><A href="https://xsoar.ideas.aha.io/," target="_blank">https://xsoar.ideas.aha.io/</A>, make sure to be as detailed as you can, and to not share any personal information as this is a public community.</SPAN></P> Tue, 31 May 2022 13:12:26 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/playbook-construction/m-p/495416#M926 nkazinets 2022-05-31T13:12:26Z