diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml
new file mode 100644
index 000000000000..aa2d41da72b1
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml
@@ -0,0 +1,536 @@
+id: Search And Block Software - Generic
+version: -1
+name: Search And Block Software - Generic
+description: "This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.\nThe following integrations are supported:\n\n- Cortex XDR XQL Engine \n- Microsoft Defender For Endpoint"
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: db561466-7b5a-4cea-8350-4a871a84518c
+    type: start
+    task:
+      id: db561466-7b5a-4cea-8350-4a871a84518c
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "7"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -120
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: c1f24703-cccd-4aa8-894a-24936aeccb8f
+    type: condition
+    task:
+      id: c1f24703-cccd-4aa8-894a-24936aeccb8f
+      version: -1
+      name: Has filename and timeframe from inputs?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "3"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.FileName
+            iscontext: true
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.TimeFrame
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 180
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 1d034069-83cc-4e4b-8d6c-d2faec53535a
+    type: collection
+    task:
+      id: 1d034069-83cc-4e4b-8d6c-d2faec53535a
+      version: -1
+      name: Please provide a software name to block and a timeframe
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "3"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 60,
+          "y": 350
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Please provide a software image file name
+        required: true
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: name.exe
+        tooltip: the software file name. NOTICE - name case is insensitive and it searches every file that contains the given image name
+        readonly: false
+      - id: "1"
+        label: ""
+        labelarg:
+          simple: Please provide a timeframe
+        required: true
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: 7 days
+        tooltip: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+        readonly: false
+      title: Please provide a software name to block and a timeframe
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 7b4a666f-b896-4219-81f5-6af0f8aed8f6
+    type: title
+    task:
+      id: 7b4a666f-b896-4219-81f5-6af0f8aed8f6
+      version: -1
+      name: Search And Block Software
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "4"
+      - "6"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 51fcc25e-607e-43af-899b-d4e19570ddd0
+    type: playbook
+    task:
+      id: 51fcc25e-607e-43af-899b-d4e19570ddd0
+      version: -1
+      name: Cortex XDR - Search And Block Software - XQL Engine
+      description: This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block.
+      playbookName: Cortex XDR - Search And Block Software - XQL Engine
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      Filename:
+        complex:
+          root: inputs.FileName
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Please provide a software name to block and a timeframe.Answers.0
+                iscontext: true
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '"'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ','
+          - operator: uniq
+      TimeFrame:
+        complex:
+          root: inputs.TimeFrame
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Please provide a software name to block and a timeframe.Answers.1
+                iscontext: true
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '"'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ','
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 200,
+          "y": 660
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 72d74415-fffc-4a35-88cc-2c11c3955b0c
+    type: title
+    task:
+      id: 72d74415-fffc-4a35-88cc-2c11c3955b0c
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 830
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 6c6d4e63-db04-452b-8862-29e7093753f5
+    type: playbook
+    task:
+      id: 6c6d4e63-db04-452b-8862-29e7093753f5
+      version: -1
+      name: MDE - Search And Block Software
+      description: This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
+      playbookName: MDE - Search And Block Software
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      Defender Indicator Title:
+        simple: XSOAR Software Block
+      Filename:
+        complex:
+          root: inputs.FileName
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Please provide a software name to block and a timeframe.Answers.0
+                iscontext: true
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '"'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ','
+          - operator: uniq
+      Indicator Expiration:
+        complex:
+          root: inputs.Indicator Expiration
+      TimeFrame:
+        complex:
+          root: inputs.TimeFrame
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Please provide a software name to block and a timeframe.Answers.1
+                iscontext: true
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '"'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ','
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 700,
+          "y": 660
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 11d21beb-8d7b-44c3-8b16-22a685bd134d
+    type: regular
+    task:
+      id: 11d21beb-8d7b-44c3-8b16-22a685bd134d
+      version: -1
+      name: Delete Context
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "1"
+    scriptarguments:
+      key:
+        simple: Please provide a software name to block and a timeframe
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 10
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 1015,
+        "width": 1020,
+        "x": 60,
+        "y": -120
+      }
+    }
+  }
+inputs:
+- key: FileName
+  value: {}
+  required: false
+  description: File name to search
+  playbookInputQuery:
+- key: TimeFrame
+  value: {}
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: Indicator Expiration
+  value: {}
+  required: false
+  description: 'DateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days).'
+  playbookInputQuery:
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md
new file mode 100644
index 000000000000..3feed08e6981
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md
@@ -0,0 +1,47 @@
+This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
+The following integrations are supported:
+
+- Cortex XDR XQL Engine 
+- Microsoft Defender For Endpoint
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search And Block Software
+* Cortex XDR - Search And Block Software - XQL Engine
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* DeleteContext
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| FileName | File name to search |  | Optional |
+| TimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. |  | Optional |
+| Indicator Expiration | DateTime string indicating when the indicator expires. Format: \(&lt;number&gt; &lt;time unit&gt;, e.g., 12 hours, 7 days\). |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Search And Block Software - Generic](../doc_files/Search_And_Block_Software_-_Generic.png)
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml
new file mode 100644
index 000000000000..f09da170e79f
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml
@@ -0,0 +1,283 @@
+id: Search and Compare Process Executions - Generic
+version: -1
+name: Search and Compare Process Executions - Generic
+description: |-
+  This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+  - Cortex XDR XQL Engine
+  - Cortex XDR IR(Search executions inside XDR alerts)
+  - Microsoft Defender For Endpoint
+
+  Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+    type: start
+    task:
+      id: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "15"
+      - "16"
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 80
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+    type: title
+    task:
+      id: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 400
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+    type: playbook
+    task:
+      id: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+      version: -1
+      name: MDE - Search and Compare Process Executions
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: MDE - Search and Compare Process Executions
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+    type: playbook
+    task:
+      id: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument.  It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input  the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      SearchXDRAlerts:
+        complex:
+          root: inputs.SearchXDRAlerts
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+      forEach: true
+    view: |-
+      {
+        "position": {
+          "x": 40,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+    type: playbook
+    task:
+      id: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 870,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 385,
+        "width": 1210,
+        "x": 40,
+        "y": 80
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
+  playbookInputQuery:
+- key: SearchXDRAlerts
+  value: {}
+  required: false
+  description: Set to "True" if you want to hunt for processes that are part of XDR alerts
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results.
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found.
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md
new file mode 100644
index 000000000000..d744faab701d
--- /dev/null
+++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md
@@ -0,0 +1,57 @@
+This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+- Cortex XDR XQL Engine
+- Cortex XDR IR(Search executions inside XDR alerts)
+- Microsoft Defender For Endpoint
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search and Compare Process Executions
+* Cortex XDR - Search and Compare Process Executions - XQL Engine
+* Cortex XDR - Search and Compare Process Executions - XDR Alerts
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+This playbook does not use any scripts.
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes | Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:<br/>- value: \*process name\*<br/>- commands: \*command-line arguments\* |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+| SearchXDRAlerts | Set to "True" if you want to hunt for processes that are part of XDR alerts |  | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity automation results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![Search and Compare Process Executions - Generic](../doc_files/Search_and_Compare_Process_Executions_-_Generic.png)
diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_4_24.md b/Packs/CommonPlaybooks/ReleaseNotes/2_4_24.md
new file mode 100644
index 000000000000..ac2f4ef18217
--- /dev/null
+++ b/Packs/CommonPlaybooks/ReleaseNotes/2_4_24.md
@@ -0,0 +1,21 @@
+
+#### Playbooks
+
+##### New: Search and Compare Process Executions - Generic
+
+- New: This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+- Cortex XDR XQL Engine
+- Cortex XDR IR(Search executions inside XDR alerts)
+- Microsoft Defender For Endpoint
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments* (Available from Cortex XSOAR 6.9.0).
+##### New: Search And Block Software - Generic
+
+- New: This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
+The following integrations are supported:
+
+- Cortex XDR XQL Engine 
+- Microsoft Defender For Endpoint (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/CommonPlaybooks/doc_files/Search_And_Block_Software_-_Generic.png b/Packs/CommonPlaybooks/doc_files/Search_And_Block_Software_-_Generic.png
new file mode 100644
index 000000000000..e431312cac4c
Binary files /dev/null and b/Packs/CommonPlaybooks/doc_files/Search_And_Block_Software_-_Generic.png differ
diff --git a/Packs/CommonPlaybooks/doc_files/Search_and_Compare_Process_Executions_-_Generic.png b/Packs/CommonPlaybooks/doc_files/Search_and_Compare_Process_Executions_-_Generic.png
new file mode 100644
index 000000000000..89bc28fb2387
Binary files /dev/null and b/Packs/CommonPlaybooks/doc_files/Search_and_Compare_Process_Executions_-_Generic.png differ
diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json
index c739b67ea7bd..e1aaccf0b9f5 100644
--- a/Packs/CommonPlaybooks/pack_metadata.json
+++ b/Packs/CommonPlaybooks/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.4.23",
+    "currentVersion": "2.4.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/CommonTypes/.pack-ignore b/Packs/CommonTypes/.pack-ignore
index be637298a237..6c97e6c822b0 100644
--- a/Packs/CommonTypes/.pack-ignore
+++ b/Packs/CommonTypes/.pack-ignore
@@ -117,6 +117,9 @@ ignore=IF100
 [file:incidentfield-Alert_Name.json]
 ignore=IF100
 
+[file:incidentfield-Related_Alerts.json]
+ignore=IF100
+
 [file:incidentfield-Event_Descriptions.json]
 ignore=IF100
 
@@ -288,6 +291,15 @@ ignore=BA101
 [file:incidentfield-Number_Of_Found_Related_Alerts.json]
 ignore=IF100
 
+[file:incidentfield-Tool_Usage_Found.json]
+ignore=IF115
+
+[file:incidentfield-Affected_Hosts.json]
+ignore=IF115
+
+[file:incidentfield-Affected_Users.json]
+ignore=IF115
+
 [known_words]
 SysAid
 longText
@@ -314,4 +326,3 @@ mailto
 Misconfiguration
 CloudTrail
 ThreatCommand
-TLP
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Hosts.json b/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Hosts.json
new file mode 100644
index 000000000000..4ee3e2058c4d
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Hosts.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "affectedhosts",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_affectedhosts",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Affected Hosts",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": false,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Users.json b/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Users.json
new file mode 100644
index 000000000000..f2c80d6c7a98
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Affected_Users.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "affectedusers",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_affectedusers",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Affected Users",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": false,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Attack_Patterns.json b/Packs/CommonTypes/IncidentFields/incidentfield-Attack_Patterns.json
new file mode 100644
index 000000000000..53edd630625f
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Attack_Patterns.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "attackpatterns",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_attackpatterns",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Attack Patterns",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Block_Indicators_Status.json b/Packs/CommonTypes/IncidentFields/incidentfield-Block_Indicators_Status.json
new file mode 100644
index 000000000000..e16b28702523
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Block_Indicators_Status.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "blockindicatorsstatus",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_blockindicatorsstatus",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Block Indicators Status",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Campaign_Name.json b/Packs/CommonTypes/IncidentFields/incidentfield-Campaign_Name.json
new file mode 100644
index 000000000000..490a09f03002
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Campaign_Name.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "campaignname",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_campaignname",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Campaign Name",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Custom_Query_Results.json b/Packs/CommonTypes/IncidentFields/incidentfield-Custom_Query_Results.json
new file mode 100644
index 000000000000..b446f20d51ac
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Custom_Query_Results.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "customqueryresults",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_customqueryresults",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Custom Query Results",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Endpoints_Details.json b/Packs/CommonTypes/IncidentFields/incidentfield-Endpoints_Details.json
new file mode 100644
index 000000000000..98dc00ef5b36
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Endpoints_Details.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "endpointsdetails",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_endpointsdetails",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Endpoints Details",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Related_Alerts.json b/Packs/CommonTypes/IncidentFields/incidentfield-Related_Alerts.json
new file mode 100644
index 000000000000..ba6a3a8e3f44
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Related_Alerts.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "relatedalerts",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_relatedalerts",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Related Alerts",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Report_Name.json b/Packs/CommonTypes/IncidentFields/incidentfield-Report_Name.json
new file mode 100644
index 000000000000..636c6a0334a7
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Report_Name.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "reportname",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_reportname",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Report Name",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-String_Similarity_Results.json b/Packs/CommonTypes/IncidentFields/incidentfield-String_Similarity_Results.json
new file mode 100644
index 000000000000..796a87972248
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-String_Similarity_Results.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "stringsimilarityresults",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_stringsimilarityresults",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "String Similarity Results",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions.json b/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions.json
new file mode 100644
index 000000000000..e3177345ae8f
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions.json
@@ -0,0 +1,99 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "suspiciousexecutions",
+    "closeForm": false,
+    "columns": [
+        {
+            "displayName": "CommandLineArgument",
+            "fieldCalcScript": "",
+            "isDefault": true,
+            "isReadOnly": false,
+            "key": "commandlineargument",
+            "orgType": "shortText",
+            "required": false,
+            "script": "",
+            "selectValues": null,
+            "type": "shortText",
+            "width": 290
+        },
+        {
+            "displayName": "Hostname",
+            "fieldCalcScript": "",
+            "isDefault": true,
+            "isReadOnly": false,
+            "key": "hostname",
+            "orgType": "shortText",
+            "required": false,
+            "script": "",
+            "selectValues": null,
+            "type": "shortText",
+            "width": 230
+        },
+        {
+            "displayName": "ProcessName",
+            "fieldCalcScript": "",
+            "isDefault": true,
+            "isReadOnly": false,
+            "key": "processname",
+            "orgType": "shortText",
+            "required": false,
+            "script": "",
+            "selectValues": null,
+            "type": "shortText",
+            "width": 100
+        },
+        {
+            "displayName": "Username",
+            "fieldCalcScript": "",
+            "isDefault": true,
+            "isReadOnly": false,
+            "key": "username",
+            "orgType": "shortText",
+            "required": false,
+            "script": "",
+            "selectValues": null,
+            "type": "shortText",
+            "width": 150
+        },
+        {
+            "displayName": "Time",
+            "fieldCalcScript": "",
+            "isDefault": true,
+            "isReadOnly": false,
+            "key": "time",
+            "orgType": "shortText",
+            "required": false,
+            "script": "",
+            "selectValues": null,
+            "type": "shortText",
+            "width": 150
+        }
+    ],
+    "content": true,
+    "defaultRows": [
+        {},
+        {},
+        {}
+    ],
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_suspiciousexecutions",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Suspicious Executions",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "grid",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions_Found.json b/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions_Found.json
new file mode 100644
index 000000000000..3f0f6fc9c6b9
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions_Found.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "suspiciousexecutionsfound",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_suspiciousexecutionsfound",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Suspicious Executions Found",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Tool_Usage_Found.json b/Packs/CommonTypes/IncidentFields/incidentfield-Tool_Usage_Found.json
new file mode 100644
index 000000000000..3b3073159343
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Tool_Usage_Found.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "toolusagefound",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_toolusagefound",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Tool Usage Found",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": false,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Tools.json b/Packs/CommonTypes/IncidentFields/incidentfield-Tools.json
new file mode 100644
index 000000000000..ef3d343dd80f
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Tools.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "tools",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_tools",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Tools",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Users_Details.json b/Packs/CommonTypes/IncidentFields/incidentfield-Users_Details.json
new file mode 100644
index 000000000000..832e6141123a
--- /dev/null
+++ b/Packs/CommonTypes/IncidentFields/incidentfield-Users_Details.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "usersdetails",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_usersdetails",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Users Details",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/CommonTypes/Layouts/layoutscontainer-CampaignV2.json b/Packs/CommonTypes/Layouts/layoutscontainer-CampaignV2.json
index e877004f6b37..3291ae445ae2 100644
--- a/Packs/CommonTypes/Layouts/layoutscontainer-CampaignV2.json
+++ b/Packs/CommonTypes/Layouts/layoutscontainer-CampaignV2.json
@@ -1,5 +1,5 @@
 {
-    "fromVersion": "6.10.0",
+    "description": "Campaign Indicator Layout",
     "edit": {
         "sections": [
             {
@@ -254,6 +254,19 @@
                                 "sectionItemType": "button",
                                 "startCol": 0
                             },
+                            {
+                                "args": {},
+                                "buttonClass": "secondary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 22,
+                                "id": "fcadbfd0-33b0-11ee-83bf-674adb4bd869",
+                                "index": 8,
+                                "name": "Execute Campaign Hunt",
+                                "scriptId": "HuntingFromIndicatorLayout",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
                             {
                                 "args": {
                                     "field": {
@@ -319,7 +332,7 @@
                         "items": [
                             {
                                 "dropEffect": "move",
-                                "endCol": 4,
+                                "endCol": 2,
                                 "fieldId": "description",
                                 "height": 106,
                                 "id": "3a65d1d0-d17d-11ea-b39d-69849bf59ed7",
@@ -570,5 +583,5 @@
     "name": "Campaign",
     "system": false,
     "version": -1,
-    "description": "Campaign Indicator Layout"
+    "fromVersion": "6.10.0"
 }
\ No newline at end of file
diff --git a/Packs/CommonTypes/Layouts/layoutscontainer-Intrusion_SetV2.json b/Packs/CommonTypes/Layouts/layoutscontainer-Intrusion_SetV2.json
index be90f69f643e..dd2413bead26 100644
--- a/Packs/CommonTypes/Layouts/layoutscontainer-Intrusion_SetV2.json
+++ b/Packs/CommonTypes/Layouts/layoutscontainer-Intrusion_SetV2.json
@@ -1,4 +1,5 @@
 {
+    "description": "Intrusion Set Layout",
     "edit": {
         "sections": [
             {
@@ -292,6 +293,19 @@
                                 "sectionItemType": "button",
                                 "startCol": 0
                             },
+                            {
+                                "args": {},
+                                "buttonClass": "secondary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 44,
+                                "id": "6bc02be0-350c-11ee-9da7-693d42899c2b",
+                                "index": 11,
+                                "name": "Execute Intrusion Set hunt",
+                                "scriptId": "HuntingFromIndicatorLayout",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
                             {
                                 "args": {
                                     "field": {
@@ -660,6 +674,5 @@
     "name": "Intrusion Set",
     "system": false,
     "version": -1,
-    "description": "Intrusion Set Layout",
-	"fromVersion": "6.10.0"
+    "fromVersion": "6.10.0"
 }
\ No newline at end of file
diff --git a/Packs/CommonTypes/Layouts/layoutscontainer-MalwareV2.json b/Packs/CommonTypes/Layouts/layoutscontainer-MalwareV2.json
index f3cd0db85420..b534c8188188 100644
--- a/Packs/CommonTypes/Layouts/layoutscontainer-MalwareV2.json
+++ b/Packs/CommonTypes/Layouts/layoutscontainer-MalwareV2.json
@@ -1,19 +1,9 @@
 {
-    "id": "STIX Malware",
-    "version": -1,
-    "name": "Malware Indicator",
-    "system": false,
-    "group": "indicator",
+    "description": "Malware Indicator Layout",
     "edit": {
         "sections": [
             {
-                "name": "Basic Information",
-                "type": "basicInformationSection",
-                "isVisible": true,
-                "readOnly": false,
                 "description": "",
-                "query": null,
-                "queryType": "",
                 "fields": [
                     {
                         "fieldId": "indicator_value",
@@ -39,16 +29,16 @@
                         "fieldId": "indicator_investigationids",
                         "isVisible": true
                     }
-                ]
-            },
-            {
-                "name": "Custom fields - core",
-                "type": "",
+                ],
                 "isVisible": true,
-                "readOnly": false,
-                "description": "",
+                "name": "Basic Information",
                 "query": null,
                 "queryType": "",
+                "readOnly": false,
+                "type": "basicInformationSection"
+            },
+            {
+                "description": "",
                 "fields": [
                     {
                         "fieldId": "indicator_communitynotes",
@@ -70,16 +60,16 @@
                         "fieldId": "indicator_trafficlightprotocol",
                         "isVisible": true
                     }
-                ]
-            },
-            {
-                "name": "Custom fields - unique",
-                "type": "",
+                ],
                 "isVisible": true,
-                "readOnly": false,
-                "description": "",
+                "name": "Custom fields - core",
                 "query": null,
                 "queryType": "",
+                "readOnly": false,
+                "type": ""
+            },
+            {
+                "description": "",
                 "fields": [
                     {
                         "fieldId": "indicator_aliases",
@@ -97,10 +87,18 @@
                         "fieldId": "indicator_operatingsystemrefs",
                         "isVisible": true
                     }
-                ]
+                ],
+                "isVisible": true,
+                "name": "Custom fields - unique",
+                "query": null,
+                "queryType": "",
+                "readOnly": false,
+                "type": ""
             }
         ]
     },
+    "group": "indicator",
+    "id": "Malware Indicator",
     "indicatorsDetails": {
         "tabs": [
             {
@@ -211,7 +209,7 @@
                                 "fieldId": "trafficlightprotocol",
                                 "height": 22,
                                 "id": "1a4c65c0-7e84-11ec-ac42-5945e7ba8f6d",
-                                "index": 10,
+                                "index": 11,
                                 "sectionItemType": "field",
                                 "startCol": 0
                             },
@@ -220,7 +218,7 @@
                                 "fieldId": "tags",
                                 "height": 22,
                                 "id": "97d4e450-7e83-11ec-ac42-5945e7ba8f6d",
-                                "index": 11,
+                                "index": 12,
                                 "sectionItemType": "field",
                                 "startCol": 0
                             },
@@ -240,6 +238,19 @@
                                 "sectionItemType": "button",
                                 "startCol": 0
                             },
+                            {
+                                "args": {},
+                                "buttonClass": "secondary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 44,
+                                "id": "48587360-350c-11ee-9da7-693d42899c2b",
+                                "index": 13,
+                                "name": "Execute Malware hunt",
+                                "scriptId": "HuntingFromIndicatorLayout",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
                             {
                                 "args": {
                                     "field": {
@@ -278,7 +289,7 @@
                             {
                                 "endCol": 2,
                                 "fieldId": "description",
-                                "height": 22,
+                                "height": 106,
                                 "id": "6ecf2770-7e86-11ec-ac42-5945e7ba8f6d",
                                 "index": 0,
                                 "sectionItemType": "field",
@@ -622,6 +633,8 @@
             }
         ]
     },
-    "fromVersion": "6.10.0",
-    "description": "Malware Indicator Layout"
+    "name": "Malware Indicator",
+    "system": false,
+    "version": -1,
+    "fromVersion": "6.10.0"
 }
\ No newline at end of file
diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_91.md b/Packs/CommonTypes/ReleaseNotes/3_3_91.md
new file mode 100644
index 000000000000..640c7fda2799
--- /dev/null
+++ b/Packs/CommonTypes/ReleaseNotes/3_3_91.md
@@ -0,0 +1,30 @@
+
+#### Incident Fields
+
+- New: **Report Name**
+- New: **Tool Usage Found**
+- New: **Suspicious Executions Found**
+- New: **Affected Users**
+- New: **Users Details**
+- New: **Custom Query Results**
+- New: **Affected Hosts**
+- New: **Tools**
+- New: **Block Indicators Status**
+- New: **String Similarity Results**
+- New: **Related Alerts**
+- New: **Campaign Name**
+- New: **Attack Patterns**
+- New: **Suspicious Executions**
+- New: **Endpoints Details**
+
+#### Layouts
+
+##### Intrusion Set
+
+- Added the 'Execute Intrusion Set Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
+##### Campaign
+
+- Added the 'Execute Campaign Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
+##### Malware Indicator
+
+- Added the 'Execute Malware Hunt' button, which is now visible upon installation of the 'Proactive Threat Hunting' pack.
diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json
index 04542e8004cd..d9e1629593e6 100644
--- a/Packs/CommonTypes/pack_metadata.json
+++ b/Packs/CommonTypes/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Types",
     "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.",
     "support": "xsoar",
-    "currentVersion": "3.3.90",
+    "currentVersion": "3.3.91",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.yml
new file mode 100644
index 000000000000..c877b1dc6f00
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.yml
@@ -0,0 +1,1017 @@
+id: Cortex XDR - Search And Block Software - XQL Engine
+version: -1
+name: Cortex XDR - Search And Block Software - XQL Engine
+description: This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: cbeb7f45-4649-4f96-84f2-5736dad91d27
+    type: start
+    task:
+      id: cbeb7f45-4649-4f96-84f2-5736dad91d27
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "29"
+      - "30"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": -160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 0fd8efb5-81e4-41a2-85cf-74c85202fcb3
+    type: condition
+    task:
+      id: 0fd8efb5-81e4-41a2-85cf-74c85202fcb3
+      version: -1
+      name: Has Query Results?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "26"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXQL.GenericQuery.results
+                accessor: filesha256
+                transformers:
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: ${PaloAltoNetworksXQL.GenericQuery.results.procsha256}
+                      iscontext: true
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 690,
+          "y": 510
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 03df075e-50a7-4db7-8d8e-56c398303518
+    type: title
+    task:
+      id: 03df075e-50a7-4db7-8d8e-56c398303518
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 2370
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 966601b5-4bb5-43d6-803e-4f3db45b5713
+    type: regular
+    task:
+      id: 966601b5-4bb5-43d6-803e-4f3db45b5713
+      version: -1
+      name: delete context - XDR Results
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "21"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 1880
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: b21f9224-ae7d-4b2a-8f8f-ca9baa153cff
+    type: condition
+    task:
+      id: b21f9224-ae7d-4b2a-8f8f-ca9baa153cff
+      version: -1
+      name: Has software name and timeframe from input?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "15"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.Filename
+            iscontext: true
+          right:
+            value: {}
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.TimeFrame
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: d73217e1-5008-4a40-86fa-ffdafbc3f6d2
+    type: regular
+    task:
+      id: d73217e1-5008-4a40-86fa-ffdafbc3f6d2
+      version: -1
+      name: Execute XQL query to search software
+      description: |-
+        Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised.
+        When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file,
+        unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context.
+      script: '|||xdr-xql-generic-query'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      query:
+        simple: "config case_sensitive = false \n| dataset = xdr_data \n| filter (event_type = ENUM.FILE and event_sub_type = ENUM.FILE_WRITE) or (event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START)\n| filter action_process_image_name contains \"${inputs.Filename}\" or action_file_name contains \"${inputs.Filename}\"\n| fields action_process_image_name as procname, action_process_image_sha256 as procsha256, action_process_image_path as procpath, action_file_name as filename, action_file_sha256 as filesha256, action_file_path as filepath, event_type as eventtype, event_sub_type as event_sub_type, action_process_image_md5 as procmd5, action_file_md5 as filemd5"
+      query_name:
+        simple: hunt
+      time_frame:
+        complex:
+          root: inputs.TimeFrame
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 690,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 5e5e7260-277b-4ec0-8181-b57681ca3389
+    type: collection
+    task:
+      id: 5e5e7260-277b-4ec0-8181-b57681ca3389
+      version: -1
+      name: Would you like to block the files found?
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 920,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Would you like to block the files found?
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - simple: Yes - All
+        - simple: Yes - Choose specific files
+        - simple: "No"
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Would you like to block the files found?
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: d84b8688-535b-4259-864d-9e0f37f31409
+    type: condition
+    task:
+      id: d84b8688-535b-4259-864d-9e0f37f31409
+      version: -1
+      name: Block the files?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      Yes - All:
+      - "19"
+      Yes - Choose specific files:
+      - "18"
+    separatecontext: false
+    conditions:
+    - label: Yes - All
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: Would you like to block the files found?.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: Yes - All
+          ignorecase: true
+    - label: Yes - Choose specific files
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: Would you like to block the files found?.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: Yes - Choose specific files
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 920,
+          "y": 1010
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "18":
+    id: "18"
+    taskid: 6ddfccf7-f21d-4fec-8b81-7ac7bf8bd5e0
+    type: collection
+    task:
+      id: 6ddfccf7-f21d-4fec-8b81-7ac7bf8bd5e0
+      version: -1
+      name: Choose specific files to block
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "24"
+      - "25"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1350,
+          "y": 1190
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Choose specific files to block
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - complex:
+            root: PaloAltoNetworksXQL.GenericQuery.results
+            filters:
+            - - operator: isNotEmpty
+                left:
+                  value:
+                    simple: PaloAltoNetworksXQL.GenericQuery.results.filesha256
+                  iscontext: true
+            accessor: filepath
+        - complex:
+            root: PaloAltoNetworksXQL.GenericQuery.results
+            filters:
+            - - operator: isNotEmpty
+                left:
+                  value:
+                    simple: PaloAltoNetworksXQL.GenericQuery.results.procsha256
+                  iscontext: true
+            accessor: procpath
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Choose specific files to block
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "19":
+    id: "19"
+    taskid: 5ba53350-4d22-48e9-89ca-3659f8a9c7f9
+    type: regular
+    task:
+      id: 5ba53350-4d22-48e9-89ca-3659f8a9c7f9
+      version: -1
+      name: Set Indicators To Block
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "28"
+    scriptarguments:
+      key:
+        simple: IndicatorsToBlock
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          accessor: filesha256
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.procsha256
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 920,
+          "y": 1190
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "21":
+    id: "21"
+    taskid: 1c33e0da-582b-42de-8b62-1bd2e406abd3
+    type: regular
+    task:
+      id: 1c33e0da-582b-42de-8b62-1bd2e406abd3
+      version: -1
+      name: delete context - Indicators To block
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "27"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 2045
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "22":
+    id: "22"
+    taskid: 23a2fb4f-b065-4699-8d77-8e7d0a3f4947
+    type: regular
+    task:
+      id: 23a2fb4f-b065-4699-8d77-8e7d0a3f4947
+      version: -1
+      name: Set Indicators To Block - Files
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "28"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: IndicatorsToBlock
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.filepath
+                iscontext: true
+              right:
+                value:
+                  simple: Choose specific files to block.Answers.0
+                iscontext: true
+          accessor: filesha256
+          transformers:
+          - operator: uniq
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1820,
+          "y": 1530
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "23":
+    id: "23"
+    taskid: bc8c5f97-2667-47fa-8333-6ebd3c7fc0f6
+    type: regular
+    task:
+      id: bc8c5f97-2667-47fa-8333-6ebd3c7fc0f6
+      version: -1
+      name: Set Indicators To Block - Process
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "28"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: IndicatorsToBlock
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.procpath
+                iscontext: true
+              right:
+                value:
+                  simple: Choose specific files to block.Answers.0
+                iscontext: true
+          accessor: procsha256
+          transformers:
+          - operator: uniq
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1350,
+          "y": 1530
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "24":
+    id: "24"
+    taskid: c6bbff42-e2df-49c3-8b73-6b3f0603188a
+    type: condition
+    task:
+      id: c6bbff42-e2df-49c3-8b73-6b3f0603188a
+      version: -1
+      name: has relevant files to block
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "28"
+      "yes":
+      - "23"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXQL.GenericQuery.results
+                filters:
+                - - operator: in
+                    left:
+                      value:
+                        simple: PaloAltoNetworksXQL.GenericQuery.results.procpath
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Choose specific files to block.Answers.0
+                      iscontext: true
+                accessor: procsha256
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1350,
+          "y": 1350
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "25":
+    id: "25"
+    taskid: 09683597-6525-4cc0-82b7-9777d26c51ef
+    type: condition
+    task:
+      id: 09683597-6525-4cc0-82b7-9777d26c51ef
+      version: -1
+      name: has relevant files to block
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "28"
+      "yes":
+      - "22"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXQL.GenericQuery.results
+                filters:
+                - - operator: in
+                    left:
+                      value:
+                        simple: PaloAltoNetworksXQL.GenericQuery.results.filepath
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Choose specific files to block.Answers.0
+                      iscontext: true
+                accessor: filesha256
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1820,
+          "y": 1360
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "26":
+    id: "26"
+    taskid: 391d4c59-dc10-4cdc-8240-7df0d498eb74
+    type: regular
+    task:
+      id: 391d4c59-dc10-4cdc-8240-7df0d498eb74
+      version: -1
+      name: Set query results to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "16"
+    scriptarguments:
+      extend-context:
+        simple: customquerymarkdown=
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery
+          accessor: results
+          transformers:
+          - operator: RemoveEmpty
+            args:
+              empty_values:
+                value:
+                  simple: FALSE,null,UNKNOWN,NO
+              remove_keys:
+                value:
+                  simple: "true"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 920,
+          "y": 680
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Custom Query Results
+      output:
+        simple: ${customquerymarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "27":
+    id: "27"
+    taskid: 3eab99a0-518e-403b-89e4-55af1d2b7741
+    type: regular
+    task:
+      id: 3eab99a0-518e-403b-89e4-55af1d2b7741
+      version: -1
+      name: Delete context - markdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: customquerymarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 2210
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "28":
+    id: "28"
+    taskid: 67f2a88b-19c8-4e19-8bb8-e0080da47105
+    type: playbook
+    task:
+      id: 67f2a88b-19c8-4e19-8bb8-e0080da47105
+      version: -1
+      name: Cortex XDR - Block File
+      description: Use this playbook to add files to the Cortex XDR block list with a given SHA256 file playbook input.
+      playbookName: Cortex XDR - Block File
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      HashList:
+        complex:
+          root: IndicatorsToBlock
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 920,
+          "y": 1700
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "29":
+    id: "29"
+    taskid: 64e27d12-e594-4939-8eeb-d32ba9a031eb
+    type: regular
+    task:
+      id: 64e27d12-e594-4939-8eeb-d32ba9a031eb
+      version: -1
+      name: Delete context to avoid duplications - customquerymarkdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      key:
+        simple: customquerymarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 640,
+          "y": -20
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "30":
+    id: "30"
+    taskid: fefa53d3-b2cb-4858-802d-503b88a8fbad
+    type: regular
+    task:
+      id: fefa53d3-b2cb-4858-802d-503b88a8fbad
+      version: -1
+      name: Delete context to avoid duplications - PaloAltoNetworksXQL
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 240,
+          "y": -20
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
+view: |-
+  {
+    "linkLabelsPosition": {
+      "14_6_#default#": 0.14,
+      "17_18_Yes - Choose specific files": 0.52,
+      "17_6_#default#": 0.25,
+      "24_28_#default#": 0.54,
+      "25_28_#default#": 0.25,
+      "3_26_yes": 0.54,
+      "3_6_#default#": 0.15
+    },
+    "paper": {
+      "dimensions": {
+        "height": 2595,
+        "width": 1960,
+        "x": 240,
+        "y": -160
+      }
+    }
+  }
+inputs:
+- key: Filename
+  value: {}
+  required: false
+  description: File name to search.
+  playbookInputQuery:
+- key: TimeFrame
+  value: {}
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine_README.md
new file mode 100644
index 000000000000..3220aab8956e
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine_README.md
@@ -0,0 +1,43 @@
+This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Cortex XDR - Block File
+
+### Integrations
+
+* XQLQueryingEngine
+
+### Scripts
+
+* DeleteContext
+* JsonToTable
+* Set
+
+### Commands
+
+* xdr-xql-generic-query
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Filename | File name to search. |  | Optional |
+| TimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Cortex XDR - Search And Block Software - XQL Engine](../doc_files/Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.png)
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.yml
new file mode 100644
index 000000000000..39491a42e06b
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.yml
@@ -0,0 +1,546 @@
+id: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+version: -1
+name: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+description: |-
+  This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+  Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 0b1278a9-d159-4368-81bd-87b54235e6e4
+    type: start
+    task:
+      id: 0b1278a9-d159-4368-81bd-87b54235e6e4
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "12"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: 2451adba-d137-46b8-8231-87a851c10d5c
+    type: regular
+    task:
+      id: 2451adba-d137-46b8-8231-87a851c10d5c
+      version: -1
+      name: Set process to search
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "15"
+    scriptarguments:
+      key:
+        simple: ProcessToSearch
+      value:
+        complex:
+          root: inputs.Processes
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 200
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: b5b4a3bf-3c7d-4687-8e48-d8fb4246ac35
+    type: condition
+    task:
+      id: b5b4a3bf-3c7d-4687-8e48-d8fb4246ac35
+      version: -1
+      name: Relevant alerts found?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "5"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXDR.Alert
+                accessor: alert_name
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 530
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 23befe5c-207a-406d-800b-2fa28cec5eea
+    type: title
+    task:
+      id: 23befe5c-207a-406d-800b-2fa28cec5eea
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1390
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 649283f9-b276-40ab-8f6f-6aa721139ee6
+    type: regular
+    task:
+      id: 649283f9-b276-40ab-8f6f-6aa721139ee6
+      version: -1
+      name: Compare results with the given command-line patterns
+      description: This automation calculates the similarity ratio between text and a list of strings and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
+      scriptName: StringSimilarity
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "7"
+    scriptarguments:
+      similarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      similiarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      string_A:
+        complex:
+          root: PaloAltoNetworksXDR.Alert
+          accessor: actor_process_command_line
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: PaloAltoNetworksXDR.Alert.action_process_image_command_line
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: PaloAltoNetworksXDR.Alert.causality_actor_process_command_line
+                iscontext: true
+          - operator: uniq
+      string_B:
+        complex:
+          root: ProcessToSearch
+          accessor: commands
+          transformers:
+          - operator: uniq
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 700
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 53d53c6c-d595-49fb-8f1c-18b1be64669b
+    type: regular
+    task:
+      id: 53d53c6c-d595-49fb-8f1c-18b1be64669b
+      version: -1
+      name: delete context
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 1220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 2f2f1d1e-045b-4f4e-8a9a-dff7bf3caff7
+    type: condition
+    task:
+      id: 2f2f1d1e-045b-4f4e-8a9a-dff7bf3caff7
+      version: -1
+      name: Execution is suspicious?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "11"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: containsGeneral
+          left:
+            value:
+              complex:
+                root: StringSimilarity
+                accessor: StringA
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: c9e637c7-6530-464d-8585-355124ad2f7c
+    type: regular
+    task:
+      id: c9e637c7-6530-464d-8585-355124ad2f7c
+      version: -1
+      name: Set findings
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: Findings
+      value:
+        complex:
+          root: PaloAltoNetworksXDR
+          accessor: Alert
+          transformers:
+          - operator: RemoveEmpty
+            args:
+              empty_values: {}
+              remove_keys:
+                value:
+                  simple: "true"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 1050
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Tool Usage Found
+      output:
+        complex:
+          root: PaloAltoNetworksXDR.Alert
+          accessor: action_process_image_name
+    - incidentfield: Affected Hosts
+      output:
+        complex:
+          root: PaloAltoNetworksXDR.Alert
+          accessor: agent_hostname
+    - incidentfield: Affected Users
+      output:
+        complex:
+          root: PaloAltoNetworksXDR.Alert
+          accessor: actor_effective_username
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "12":
+    id: "12"
+    taskid: 4aa1117d-facd-42f5-8534-43753d47464f
+    type: condition
+    task:
+      id: 4aa1117d-facd-42f5-8534-43753d47464f
+      version: -1
+      name: Can processes be searched?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Cortex XDR - IR
+                    ignorecase: true
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+          right:
+            value: {}
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: inputs.SearchXDRAlerts
+            iscontext: true
+          right:
+            value:
+              simple: "True"
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 30
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 77700ad1-d978-4c79-8743-0bbccf9fcc75
+    type: regular
+    task:
+      id: 77700ad1-d978-4c79-8743-0bbccf9fcc75
+      version: -1
+      name: Search alerts that contains the given process executions
+      description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \nMultiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value."
+      script: '|||xdr-get-alerts'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      custom_filter:
+        simple: |-
+          {
+                          "OR": [
+                              {
+                                  "SEARCH_FIELD": "actor_process_image_name",
+                                  "SEARCH_TYPE": "EQ",
+                                  "SEARCH_VALUE": "${ProcessToSearch.value}"
+                              },
+                              {
+                                  "SEARCH_FIELD": "action_process_image_name",
+                                  "SEARCH_TYPE": "EQ",
+                                  "SEARCH_VALUE": "${ProcessToSearch.value}"
+                              },
+                              {
+                                  "SEARCH_FIELD": "causality_actor_process_image_name",
+                                  "SEARCH_TYPE": "EQ",
+                                  "SEARCH_VALUE": "${ProcessToSearch.value}"
+                              }
+                          ]
+                      }
+      time_frame:
+        complex:
+          root: inputs.HuntingTimeFrame
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 370
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "3_6_#default#": 0.26,
+      "7_6_#default#": 0.57
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1555,
+        "width": 1030,
+        "x": 450,
+        "y": -100
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 Days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
+  playbookInputQuery:
+- key: SearchXDRAlerts
+  value: {}
+  required: false
+  description: Set to "True" if you want to hunt for processes that are part of XDR alerts
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results.
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found.
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts_README.md
new file mode 100644
index 000000000000..89589635b650
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts_README.md
@@ -0,0 +1,53 @@
+This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+* CortexXDRIR
+
+### Scripts
+
+* StringSimilarity
+* Set
+* DeleteContext
+
+### Commands
+
+* xdr-get-alerts
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes | Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:<br/>- value: \*process name\*<br/>- commands: \*command-line arguments\* |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 Days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+| SearchXDRAlerts | Set to "True" if you want to hunt for processes that are part of XDR alerts |  | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity automation results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![Cortex XDR - Search and Compare Process Executions - XDR Alerts](../doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.png)
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.yml
new file mode 100644
index 000000000000..d95d1a17abc9
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.yml
@@ -0,0 +1,577 @@
+id: Cortex XDR - Search and Compare Process Executions - XQL Engine
+version: -1
+name: Cortex XDR - Search and Compare Process Executions - XQL Engine
+description: |-
+  This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compare the command-line argument from the results to the command-line argument received from the playbook input.
+
+  Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 92eff83b-1cfb-4e55-875d-efd9c64debde
+    type: start
+    task:
+      id: 92eff83b-1cfb-4e55-875d-efd9c64debde
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "12"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: e169c8b6-fc4d-456c-8327-eea2ba7b1cfa
+    type: regular
+    task:
+      id: e169c8b6-fc4d-456c-8327-eea2ba7b1cfa
+      version: -1
+      name: Set process to search
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "13"
+    scriptarguments:
+      key:
+        simple: ProcessToSearch
+      value:
+        complex:
+          root: inputs.Processes
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 200
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 247e6298-919d-4fce-8e68-f98cc3e080a1
+    type: condition
+    task:
+      id: 247e6298-919d-4fce-8e68-f98cc3e080a1
+      version: -1
+      name: Has query results?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "5"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXQL.GenericQuery.results
+                accessor: cmd
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 530
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: c1e49ce0-5cfc-46ec-82c4-dc3a28b64dd7
+    type: title
+    task:
+      id: c1e49ce0-5cfc-46ec-82c4-dc3a28b64dd7
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1390
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 663d69c0-4c90-4690-80d4-f54ff8b59a5f
+    type: regular
+    task:
+      id: 663d69c0-4c90-4690-80d4-f54ff8b59a5f
+      version: -1
+      name: Compare query results to given command-line patterns
+      description: This automation calculates the similarity ratio between text and a list of strings and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
+      scriptName: StringSimilarity
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "7"
+    scriptarguments:
+      similarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      similiarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      string_A:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          accessor: cmd
+          transformers:
+          - operator: uniq
+      string_B:
+        complex:
+          root: ProcessToSearch
+          accessor: commands
+          transformers:
+          - operator: uniq
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 700
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 8466e3c1-e48a-4093-8236-25689e23cb59
+    type: regular
+    task:
+      id: 8466e3c1-e48a-4093-8236-25689e23cb59
+      version: -1
+      name: Delete context
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 1210
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 7243e1ff-bbc2-4958-8f6a-7d2c931e556f
+    type: condition
+    task:
+      id: 7243e1ff-bbc2-4958-8f6a-7d2c931e556f
+      version: -1
+      name: Execution is suspicious?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "11"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: StringSimilarity
+                accessor: StringA
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: 38361085-b772-49bf-8d5d-b11f3ebab915
+    type: regular
+    task:
+      id: 38361085-b772-49bf-8d5d-b11f3ebab915
+      version: -1
+      name: Set findings
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: Findings
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.StringA
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1100,
+          "y": 1040
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Tool Usage Found
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.StringA
+                iscontext: true
+              ignorecase: true
+          accessor: processname
+    - incidentfield: Affected Hosts
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.StringA
+                iscontext: true
+              ignorecase: true
+          accessor: hostname
+    - incidentfield: Affected Users
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.StringA
+                iscontext: true
+              ignorecase: true
+          accessor: username
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "12":
+    id: "12"
+    taskid: e6f771d7-f624-49b6-813b-9784f2f3449d
+    type: condition
+    task:
+      id: e6f771d7-f624-49b6-813b-9784f2f3449d
+      version: -1
+      name: Does XQL Query Engine integration enabled?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Cortex XDR - XQL Query Engine
+                    ignorecase: true
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 30
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: 5884cd87-5d89-4ef2-8469-a557b677cda1
+    type: regular
+    task:
+      id: 5884cd87-5d89-4ef2-8469-a557b677cda1
+      version: -1
+      name: Execute query to search given process executions
+      description: |-
+        Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised.
+        When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file,
+        unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context.
+      script: '|||xdr-xql-generic-query'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      query:
+        complex:
+          root: ProcessToSearch
+          accessor: value
+          transformers:
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith:
+                value:
+                  simple: ' OR action_process_image_name = '
+              toReplace:
+                value:
+                  simple: ','
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: "config case_sensitive = false\n| dataset = xdr_data  \n| filter action_process_image_name = "
+              suffix:
+                value:
+                  simple: '| fields agent_hostname as hostname, actor_effective_username as username, action_process_image_name as processname, action_process_image_command_line as cmd'
+      query_name:
+        simple: hunt
+      time_frame:
+        complex:
+          root: inputs.HuntingTimeFrame
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 780,
+          "y": 360
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "3_6_#default#": 0.21,
+      "7_6_#default#": 0.57
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1555,
+        "width": 1030,
+        "x": 450,
+        "y": -100
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: 'StringSimilarity automation threshold: A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.'
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine_README.md b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine_README.md
new file mode 100644
index 000000000000..a6866d635bce
--- /dev/null
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine_README.md
@@ -0,0 +1,52 @@
+This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+XQLQueryingEngine
+
+### Scripts
+
+* StringSimilarity
+* Set
+* DeleteContext
+
+### Commands
+
+xdr-xql-generic-query
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes | Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:<br/>-value: \*process name\*<br/>-commands: \*command-line arguments\* |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity automation results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![Cortex XDR - Search and Compare Process Executions - XQL Engine](../doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.png)
diff --git a/Packs/CortexXDR/ReleaseNotes/6_0_2.md b/Packs/CortexXDR/ReleaseNotes/6_0_2.md
new file mode 100644
index 000000000000..b2192b7864c6
--- /dev/null
+++ b/Packs/CortexXDR/ReleaseNotes/6_0_2.md
@@ -0,0 +1,20 @@
+
+#### Playbooks
+
+##### New: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+
+- New: This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*. (Available from Cortex XSOAR 6.9.0).
+##### New: Cortex XDR - Search and Compare Process Executions - XQL Engine
+
+- New: This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compare the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments* (Available from Cortex XSOAR 6.9.0).
+##### New: Cortex XDR - Search And Block Software - XQL Engine
+
+- New: This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block. (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.png
new file mode 100644
index 000000000000..c217e4fcd737
Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.png differ
diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.png
new file mode 100644
index 000000000000..ae528b4ca00c
Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.png differ
diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.png b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.png
new file mode 100644
index 000000000000..b6cd047ae570
Binary files /dev/null and b/Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.png differ
diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json
index e8309999d274..23cf639a2eec 100644
--- a/Packs/CortexXDR/pack_metadata.json
+++ b/Packs/CortexXDR/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.0.1",
+    "currentVersion": "6.0.2",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name.yml b/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name.yml
new file mode 100644
index 000000000000..6603c94ef4b5
--- /dev/null
+++ b/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name.yml
@@ -0,0 +1,445 @@
+id: Search LOLBAS Tools By Name
+version: -1
+name: Search LOLBAS Tools By Name
+description: This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 79609674-deff-4ea2-8695-13192d60d9b7
+    type: start
+    task:
+      id: 79609674-deff-4ea2-8695-13192d60d9b7
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "14"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -240
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: e94cffe7-ac29-482b-8268-dde01788cbbc
+    type: regular
+    task:
+      id: e94cffe7-ac29-482b-8268-dde01788cbbc
+      version: -1
+      name: Search if tools are Lolbins
+      description: |-
+        Searches Cortex XSOAR indicators.
+
+        Search for Cortex XSOAR indicators and returns the id, indicator_type, value, and score/verdict.
+
+        You can add additional fields from the indicators using the add_field_to_context argument.
+      scriptName: SearchIndicator
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      add_fields_to_context:
+        simple: value,commands,tags,paths
+      query:
+        simple: name:"${inputs.Tool}" tags:"lolbas"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 80
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 3dd139b8-25f7-456c-806f-632c5e4667fb
+    type: title
+    task:
+      id: 3dd139b8-25f7-456c-806f-632c5e4667fb
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1230
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 84506ba6-6445-4a64-85c8-f956fddd7773
+    type: condition
+    task:
+      id: 84506ba6-6445-4a64-85c8-f956fddd7773
+      version: -1
+      name: Has Lolbin tools?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "13"
+      "yes":
+      - "9"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: foundIndicators
+                filters:
+                - - operator: containsGeneral
+                    left:
+                      value:
+                        simple: foundIndicators.tags
+                      iscontext: true
+                    right:
+                      value:
+                        simple: lolbas
+                    ignorecase: true
+                accessor: commands.command
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 240
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "9":
+    id: "9"
+    taskid: c289e80b-200a-4f13-8893-ad987916312f
+    type: regular
+    task:
+      id: c289e80b-200a-4f13-8893-ad987916312f
+      version: -1
+      name: Set Lolbin name to output array
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "10"
+    scriptarguments:
+      append:
+        simple: "false"
+      key:
+        simple: NameNoExtension
+      value:
+        complex:
+          root: inputs.Tool
+          transformers:
+          - operator: Cut
+            args:
+              delimiter:
+                value:
+                  simple: .
+              fields:
+                value:
+                  simple: "1"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1010,
+          "y": 410
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "10":
+    id: "10"
+    taskid: 8e0e9941-1f31-49f1-8315-be6866fc176f
+    type: regular
+    task:
+      id: 8e0e9941-1f31-49f1-8315-be6866fc176f
+      version: -1
+      name: Set tool value to output array
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "11"
+    scriptarguments:
+      append:
+        simple: "false"
+      key:
+        simple: LotlTools.value
+      value:
+        complex:
+          root: foundIndicators
+          accessor: value
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1010,
+          "y": 570
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: bbbcddbb-95f1-4c72-842b-871cc0a03612
+    type: regular
+    task:
+      id: bbbcddbb-95f1-4c72-842b-871cc0a03612
+      version: -1
+      name: Set tool commands to output array
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "15"
+    scriptarguments:
+      append:
+        simple: "false"
+      key:
+        simple: LotlTools.commands
+      value:
+        simple: ${foundIndicators.commands.command}
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1010,
+          "y": 730
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: 66874f74-93e4-48d6-822c-4f63f019b74b
+    type: regular
+    task:
+      id: 66874f74-93e4-48d6-822c-4f63f019b74b
+      version: -1
+      name: Delete found indicators to allow loop
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      key:
+        simple: foundIndicators
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 1060
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: d0b8432b-0ae3-4034-8e83-9d21205e5d7b
+    type: condition
+    task:
+      id: d0b8432b-0ae3-4034-8e83-9d21205e5d7b
+      version: -1
+      name: Has tools from input?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.Tool
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -110
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 784f410c-a243-4a90-8c60-c76136926d4e
+    type: regular
+    task:
+      id: 784f410c-a243-4a90-8c60-c76136926d4e
+      version: -1
+      name: Set tool paths to output array
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "13"
+    scriptarguments:
+      append:
+        simple: "false"
+      key:
+        simple: LotlTools.paths
+      value:
+        complex:
+          root: foundIndicators
+          accessor: paths
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1010,
+          "y": 890
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "14_2_#default#": 0.1
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1535,
+        "width": 940,
+        "x": 450,
+        "y": -240
+      }
+    }
+  }
+inputs:
+- key: Tool
+  value:
+    simple: ''
+  required: false
+  description: ""
+  playbookInputQuery:
+outputs:
+- contextPath: LotlTools
+  description: LOLBAS tools found and their commands.
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name_README.md b/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name_README.md
new file mode 100644
index 000000000000..a3984a9c93a6
--- /dev/null
+++ b/Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name_README.md
@@ -0,0 +1,45 @@
+This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* SearchIndicator
+* DeleteContext
+* Set
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Tool |  |  | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| LotlTools | LOLBAS tools found and their commands. | unknown |
+
+## Playbook Image
+
+---
+
+![Search LOLBAS Tools By Name](../doc_files/Search_LOLBAS_Tools_By_Name.png)
diff --git a/Packs/FeedLOLBAS/ReleaseNotes/1_0_11.md b/Packs/FeedLOLBAS/ReleaseNotes/1_0_11.md
new file mode 100644
index 000000000000..ef5540f2c914
--- /dev/null
+++ b/Packs/FeedLOLBAS/ReleaseNotes/1_0_11.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### New: Search LOLBAS Tools By Name
+
+- New: This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS. (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/FeedLOLBAS/doc_files/Search_LOLBAS_Tools_By_Name.png b/Packs/FeedLOLBAS/doc_files/Search_LOLBAS_Tools_By_Name.png
new file mode 100644
index 000000000000..17cc3e4f0f92
Binary files /dev/null and b/Packs/FeedLOLBAS/doc_files/Search_LOLBAS_Tools_By_Name.png differ
diff --git a/Packs/FeedLOLBAS/pack_metadata.json b/Packs/FeedLOLBAS/pack_metadata.json
index 6d5e99efbff5..42f199fb9056 100644
--- a/Packs/FeedLOLBAS/pack_metadata.json
+++ b/Packs/FeedLOLBAS/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "LOLBAS Feed",
     "description": "\"Living off the land binaries\" is a term used to describe malware or hacking techniques that take advantage of legitimate tools.",
     "support": "xsoar",
-    "currentVersion": "1.0.10",
+    "currentVersion": "1.0.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml
new file mode 100644
index 000000000000..4d97a1167d48
--- /dev/null
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml
@@ -0,0 +1,941 @@
+id: MDE - Search And Block Software
+version: -1
+name: MDE - Search And Block Software
+description: This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: e2462455-b6f1-4456-847a-8d2cbfe68e11
+    type: start
+    task:
+      id: e2462455-b6f1-4456-847a-8d2cbfe68e11
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "31"
+      - "32"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": -330
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: f16ed52e-b396-43c3-85e0-74ca45de4ce0
+    type: condition
+    task:
+      id: f16ed52e-b396-43c3-85e0-74ca45de4ce0
+      version: -1
+      name: Has query results?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "26"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: MicrosoftATP.Hunt
+                accessor: Result
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 990,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 2b9111c4-c7f3-4aff-8722-cb0e0de16aa9
+    type: title
+    task:
+      id: 2b9111c4-c7f3-4aff-8722-cb0e0de16aa9
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 2390
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 7ed6724b-75d4-45c8-8a3d-e39ffa900e22
+    type: regular
+    task:
+      id: 7ed6724b-75d4-45c8-8a3d-e39ffa900e22
+      version: -1
+      name: delete context - XDR Results
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "21"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 1890
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 204f5af9-ee11-4c34-8429-3d0cc19a3685
+    type: condition
+    task:
+      id: 204f5af9-ee11-4c34-8429-3d0cc19a3685
+      version: -1
+      name: Has software name and timeframe from input?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "15"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.Filename
+            iscontext: true
+          right:
+            value: {}
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.TimeFrame
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 170
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: acdbc23e-ea80-4a6f-86a6-b210df33031d
+    type: regular
+    task:
+      id: acdbc23e-ea80-4a6f-86a6-b210df33031d
+      version: -1
+      name: Execute KQL query to search software
+      description: 'Allows you to run programmatic queries like in Microsoft Defender ATP Portal (https://securitycenter.windows.com/hunting). Limitations: You can only run a query on data from the last 30 days. The results include a maximum of 10,000 rows. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day).'
+      script: '|||microsoft-atp-advanced-hunting'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      query:
+        simple: |-
+          DeviceProcessEvents
+          | where FileName in~ ("${inputs.Filename}")
+          | project FileName, ProcessCreationTime, DeviceName, FolderPath, SHA256
+      time_range:
+        complex:
+          root: inputs.TimeFrame
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 990,
+          "y": 350
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: e1cad07d-ecc9-448d-8dfe-1b414f4d1f2b
+    type: collection
+    task:
+      id: e1cad07d-ecc9-448d-8dfe-1b414f4d1f2b
+      version: -1
+      name: Would you like to block the files found?
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1220,
+          "y": 850
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Would you like to block the files found?
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - simple: Yes - All
+        - simple: Yes - Choose specific files
+        - simple: "No"
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Would you like to block the files found?
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 0d2ff43d-695e-4cac-8dad-b19811c882e6
+    type: condition
+    task:
+      id: 0d2ff43d-695e-4cac-8dad-b19811c882e6
+      version: -1
+      name: Block the files?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      Yes - Choose specific files:
+      - "18"
+      "yes":
+      - "19"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: Would you like to block the files found?.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: "Yes"
+          ignorecase: true
+    - label: Yes - Choose specific files
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: Would you like to block the files found?.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: Yes - Choose specific files
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1220,
+          "y": 1020
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "18":
+    id: "18"
+    taskid: d901ba98-06ad-476a-8bfc-13a7984e9b35
+    type: collection
+    task:
+      id: d901ba98-06ad-476a-8bfc-13a7984e9b35
+      version: -1
+      name: Choose specific files to block
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "24"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1650,
+          "y": 1200
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Choose specific files to block
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - complex:
+            root: MicrosoftATP.Hunt.Result
+            accessor: FolderPath
+        - {}
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Choose specific files to block
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "19":
+    id: "19"
+    taskid: e1a29a81-6e8b-4964-8378-317d6da13486
+    type: regular
+    task:
+      id: e1a29a81-6e8b-4964-8378-317d6da13486
+      version: -1
+      name: Set Indicators To Block
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      key:
+        simple: IndicatorsToBlock
+      value:
+        complex:
+          root: MicrosoftATP.Hunt.Result
+          accessor: SHA256
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1220,
+          "y": 1200
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "21":
+    id: "21"
+    taskid: dbca7f71-0386-4a09-82b3-7127aa1272d3
+    type: regular
+    task:
+      id: dbca7f71-0386-4a09-82b3-7127aa1272d3
+      version: -1
+      name: delete context - Indicators To block
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "27"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 2055
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "23":
+    id: "23"
+    taskid: 0eeeff57-dc6a-48f0-828f-2742507e80f2
+    type: regular
+    task:
+      id: 0eeeff57-dc6a-48f0-828f-2742507e80f2
+      version: -1
+      name: Set Indicators To Block - Process
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: IndicatorsToBlock
+      value:
+        complex:
+          root: MicrosoftATP.Hunt.Result
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: MicrosoftATP.Hunt.Result.FolderPath
+                iscontext: true
+              right:
+                value:
+                  simple: Choose specific files to block.Answers.0
+                iscontext: true
+              ignorecase: true
+          accessor: SHA256
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1650,
+          "y": 1540
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "24":
+    id: "24"
+    taskid: 04f5195a-5602-41dd-8161-23a159aabede
+    type: condition
+    task:
+      id: 04f5195a-5602-41dd-8161-23a159aabede
+      version: -1
+      name: Has relevant files to block?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "23"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Choose specific files to block.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1650,
+          "y": 1360
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "26":
+    id: "26"
+    taskid: 4252ff7c-9f2f-4ad0-8dfa-f2a5ac8227b4
+    type: regular
+    task:
+      id: 4252ff7c-9f2f-4ad0-8dfa-f2a5ac8227b4
+      version: -1
+      name: Set query results to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "16"
+    scriptarguments:
+      extend-context:
+        simple: customquerymarkdown=
+      value:
+        complex:
+          root: MicrosoftATP.Hunt
+          accessor: Result
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1220,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Custom Query Results
+      output:
+        simple: ${customquerymarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "27":
+    id: "27"
+    taskid: 73d00fa3-bca8-4100-874a-97f8bfebc839
+    type: regular
+    task:
+      id: 73d00fa3-bca8-4100-874a-97f8bfebc839
+      version: -1
+      name: Delete context - markdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: customquerymarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 740,
+          "y": 2220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "29":
+    id: "29"
+    taskid: 716ee229-5da3-412b-8867-4d7dcd3b94bc
+    type: regular
+    task:
+      id: 716ee229-5da3-412b-8867-4d7dcd3b94bc
+      version: -1
+      name: Block indicators
+      description: Creates a new indicator.
+      script: '|||microsoft-atp-sc-indicator-create'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      action:
+        simple: Block
+      expiration_time:
+        complex:
+          root: inputs.Indicator Expiration
+      indicator_description:
+        complex:
+          root: inputs.Defender Indicator Title
+      indicator_title:
+        complex:
+          root: inputs.Defender Indicator Title
+      indicator_type:
+        simple: FileSha256
+      indicator_value:
+        complex:
+          root: IndicatorsToBlock
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1220,
+          "y": 1710
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "30":
+    id: "30"
+    taskid: 34b5f859-aa10-48cf-8f28-41ee793c6d73
+    type: condition
+    task:
+      id: 34b5f859-aa10-48cf-8f28-41ee793c6d73
+      version: -1
+      name: Is Defender For Endpoint enabled?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "14"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Microsoft Defender Advanced Threat Protection
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 440,
+          "y": 0
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "31":
+    id: "31"
+    taskid: d56940ed-4d06-417b-8025-ad1efff4c0ad
+    type: regular
+    task:
+      id: d56940ed-4d06-417b-8025-ad1efff4c0ad
+      version: -1
+      name: Delete context to avoid duplications - customquerymarkdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "30"
+    scriptarguments:
+      key:
+        simple: customquerymarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 640,
+          "y": -180
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "32":
+    id: "32"
+    taskid: 66aa84a3-2c01-473f-8346-29a174cdae15
+    type: regular
+    task:
+      id: 66aa84a3-2c01-473f-8346-29a174cdae15
+      version: -1
+      name: Delete context to avoid duplications - MicrosoftATP
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "30"
+    scriptarguments:
+      key:
+        simple: MicrosoftATP
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 250,
+          "y": -180
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
+view: |-
+  {
+    "linkLabelsPosition": {
+      "14_6_#default#": 0.14,
+      "17_18_Yes - Choose specific files": 0.52,
+      "17_6_#default#": 0.25,
+      "24_29_#default#": 0.9,
+      "3_26_yes": 0.54,
+      "3_6_#default#": 0.15
+    },
+    "paper": {
+      "dimensions": {
+        "height": 2785,
+        "width": 1780,
+        "x": 250,
+        "y": -330
+      }
+    }
+  }
+inputs:
+- key: Filename
+  value: {}
+  required: false
+  description: File name to search
+  playbookInputQuery:
+- key: TimeFrame
+  value: {}
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: Defender Indicator Title
+  value:
+    simple: XSOAR Software Block
+  required: false
+  description: The indicator alert title in Defender.
+  playbookInputQuery:
+- key: Indicator Expiration
+  value: {}
+  required: false
+  description: 'DateTime string indicating when the indicator expires. Format: (<number> <time unit>, e.g., 12 hours, 7 days).'
+  playbookInputQuery:
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software_README.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software_README.md
new file mode 100644
index 000000000000..d60dbcf2908b
--- /dev/null
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software_README.md
@@ -0,0 +1,46 @@
+This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+MicrosoftDefenderAdvancedThreatProtection
+
+### Scripts
+
+* DeleteContext
+* JsonToTable
+* Set
+
+### Commands
+
+* microsoft-atp-advanced-hunting
+* microsoft-atp-sc-indicator-create
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Filename | File name to search. |  | Optional |
+| TimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. |  | Optional |
+| Defender Indicator Title | The indicator alert title in Defender. | XSOAR Software Block | Optional |
+| Indicator Expiration | DateTime string indicating when the indicator expires. Format: \(&lt;number&gt; &lt;time unit&gt;, e.g., 12 hours, 7 days\). |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![MDE - Search And Block Software](../doc_files/MDE_-_Search_And_Block_Software.png)
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions.yml b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions.yml
new file mode 100644
index 000000000000..a0a74f8453d0
--- /dev/null
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions.yml
@@ -0,0 +1,570 @@
+id: MDE - Search and Compare Process Executions
+version: -1
+name: MDE - Search and Compare Process Executions
+description: |-
+  This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+  Note: Under the "Processes", input the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: e7bf5297-5a54-4574-83fe-5c1618cf5a63
+    type: start
+    task:
+      id: e7bf5297-5a54-4574-83fe-5c1618cf5a63
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -80
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: f8ea3c73-999e-4fb8-8d5c-f8d5c77d6261
+    type: regular
+    task:
+      id: f8ea3c73-999e-4fb8-8d5c-f8d5c77d6261
+      version: -1
+      name: Set process to search
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "18"
+    scriptarguments:
+      key:
+        simple: ProcessToSearch
+      value:
+        complex:
+          root: inputs.Processes
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 750,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 8e8900e6-0785-4f98-87c5-98450d4ed4d2
+    type: title
+    task:
+      id: 8e8900e6-0785-4f98-87c5-98450d4ed4d2
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1380
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 8b5a962a-1c0d-4c3d-8a5b-5ecc285127a3
+    type: regular
+    task:
+      id: 8b5a962a-1c0d-4c3d-8a5b-5ecc285127a3
+      version: -1
+      name: Delete context
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+      subplaybook:
+        simple: "yes"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 750,
+          "y": 1210
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: 2fb5edd4-3c63-4766-8dff-920aa2027c2f
+    type: condition
+    task:
+      id: 2fb5edd4-3c63-4766-8dff-920aa2027c2f
+      version: -1
+      name: Has query results?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "14"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: MicrosoftATP.Hunt.Result
+                accessor: cmd
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 750,
+          "y": 540
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 324684ef-232e-4b5d-8c51-7b1c7a3e8cd1
+    type: regular
+    task:
+      id: 324684ef-232e-4b5d-8c51-7b1c7a3e8cd1
+      version: -1
+      name: Compare query results to given command-line patterns
+      description: This automation calculates the similarity ratio between text and a list of strings and outputs a decimal value between 0.0 and 1.0 (1.0 if the sequences are identical, and 0.0 if they don't have anything in common).
+      scriptName: StringSimilarity
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "15"
+    scriptarguments:
+      similarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      similiarity_threshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+      string_A:
+        complex:
+          root: MicrosoftATP.Hunt.Result
+          accessor: cmd
+          transformers:
+          - operator: uniq
+      string_B:
+        complex:
+          root: ProcessToSearch
+          accessor: commands
+          transformers:
+          - operator: uniq
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1090,
+          "y": 710
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 2498307c-2d8d-46b4-8512-0deb6c4874ca
+    type: condition
+    task:
+      id: 2498307c-2d8d-46b4-8512-0deb6c4874ca
+      version: -1
+      name: execution is suspicious?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "6"
+      "yes":
+      - "16"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: containsGeneral
+          left:
+            value:
+              complex:
+                root: StringSimilarity
+                accessor: StringA
+            iscontext: true
+          right:
+            value:
+              complex:
+                root: MicrosoftATP.Hunt.Result
+                accessor: cmd
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1090,
+          "y": 870
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: f59e5022-18a8-4494-8c38-9da693895ffb
+    type: regular
+    task:
+      id: f59e5022-18a8-4494-8c38-9da693895ffb
+      version: -1
+      name: Set findings
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      append:
+        simple: "true"
+      key:
+        simple: Findings
+      value:
+        complex:
+          root: MicrosoftATP.Hunt.Result
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: MicrosoftATP.Hunt.Result.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.StringA
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1090,
+          "y": 1040
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Tool Usage Found
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.string_A
+                iscontext: true
+              ignorecase: true
+          accessor: processname
+    - incidentfield: Affected Hosts
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.string_A
+                iscontext: true
+              ignorecase: true
+          accessor: hostname
+    - incidentfield: Affected Users
+      output:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery.results
+          filters:
+          - - operator: in
+              left:
+                value:
+                  simple: PaloAltoNetworksXQL.GenericQuery.results.cmd
+                iscontext: true
+              right:
+                value:
+                  simple: StringSimilarity.string_A
+                iscontext: true
+              ignorecase: true
+          accessor: username
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 7c1f96f3-88f9-48c1-8a1b-19aa0336f469
+    type: condition
+    task:
+      id: 7c1f96f3-88f9-48c1-8a1b-19aa0336f469
+      version: -1
+      name: Defender For Endpoint Enabled?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Microsoft Defender Advanced Threat Protection
+                    ignorecase: true
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 50
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "18":
+    id: "18"
+    taskid: 21256e50-9f6a-4691-814d-682ef546cc1f
+    type: regular
+    task:
+      id: 21256e50-9f6a-4691-814d-682ef546cc1f
+      version: -1
+      name: Execute query to search given process executions
+      description: 'Allows you to run programmatic queries like in Microsoft Defender ATP Portal (https://securitycenter.windows.com/hunting). Limitations: You can only run a query on data from the last 30 days. The results include a maximum of 10,000 rows. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day).'
+      script: '|||microsoft-atp-advanced-hunting'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "13"
+    scriptarguments:
+      query:
+        complex:
+          root: ProcessToSearch
+          accessor: value
+          transformers:
+          - operator: StringifyArray
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: |-
+                    DeviceProcessEvents
+                    | where FileName in~ (
+              suffix:
+                value:
+                  simple: |-
+                    )
+                    | project-rename processname=FileName, cmd=ProcessCommandLine, hostname=DeviceName, username=AccountName, _time=ProcessCreationTime
+                    | project processname, cmd, hostname, username, _time
+      time_range:
+        complex:
+          root: inputs.HuntingTimeFrame
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 750,
+          "y": 380
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "13_6_#default#": 0.47,
+      "15_16_yes": 0.44
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1525,
+        "width": 1020,
+        "x": 450,
+        "y": -80
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: 'StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.'
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions_README.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions_README.md
new file mode 100644
index 000000000000..fad2613e72f7
--- /dev/null
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions_README.md
@@ -0,0 +1,52 @@
+This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+-  value: *process name*
+- commands: *command-line arguments*
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+MicrosoftDefenderAdvancedThreatProtection
+
+### Scripts
+
+* DeleteContext
+* StringSimilarity
+* Set
+
+### Commands
+
+microsoft-atp-advanced-hunting
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes |  |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![MDE - Search and Compare Process Executions](../doc_files/MDE_-_Search_and_Compare_Process_Executions.png)
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_18.md b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_18.md
new file mode 100644
index 000000000000..ce5fa6afc8ed
--- /dev/null
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_18.md
@@ -0,0 +1,13 @@
+
+#### Playbooks
+
+##### New: MDE - Search And Block Software
+
+- New: This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block. (Available from Cortex XSOAR 6.9.0).
+##### New: MDE - Search and Compare Process Executions
+
+- New: This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+Note: Under the "Processes", input the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments* (Available from Cortex XSOAR 6.9.0).
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_And_Block_Software.png b/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_And_Block_Software.png
new file mode 100644
index 000000000000..eda46e1d4a9f
Binary files /dev/null and b/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_And_Block_Software.png differ
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_and_Compare_Process_Executions.png b/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_and_Compare_Process_Executions.png
new file mode 100644
index 000000000000..dd92bac89c33
Binary files /dev/null and b/Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_and_Compare_Process_Executions.png differ
diff --git a/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json b/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json
index 8414aa79e2bf..3f1c56b1e054 100644
--- a/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json
+++ b/Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Defender for Endpoint",
     "description": "Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.",
     "support": "xsoar",
-    "currentVersion": "1.16.17",
+    "currentVersion": "1.16.18",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -66,4 +66,4 @@
         "CommonPlaybooks",
         "CommonTypes"
     ]
-}
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/.pack-ignore b/Packs/ProactiveThreatHunting/.pack-ignore
new file mode 100644
index 000000000000..321d71792447
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/.pack-ignore
@@ -0,0 +1,29 @@
+[file:incidentfield-Hunting_Endpoint_Enrichment.json]
+ignore=IF113
+
+[file:incidentfield-Tools_To_Hunt_For.json]
+ignore=IF113
+
+[file:incidentfield-Campaign_to_hunt.json]
+ignore=IF113
+
+[file:incidentfield-SDO_Name.json]
+ignore=IF113
+
+[file:incidentfield-SDO_Feed.json]
+ignore=IF113
+
+[file:incidentfield-Freestyle_Hunt.json]
+ignore=IF113
+
+[file:incidentfield-Hunting_Session_Status.json]
+ignore=IF113
+
+[file:incidentfield-Choose_SDO_To_Hunt_for.json]
+ignore=IF113
+
+[file:incidentfield-Cheat_Sheet.json]
+ignore=IF113
+
+[file:playbook-Proactive_Threat_Hunting_-_Block_Indicators.yml]
+ignore=PB121
diff --git a/Packs/ProactiveThreatHunting/.secrets-ignore b/Packs/ProactiveThreatHunting/.secrets-ignore
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/ProactiveThreatHunting/Dashboards/dashboard-Threat_Hunting.json b/Packs/ProactiveThreatHunting/Dashboards/dashboard-Threat_Hunting.json
new file mode 100644
index 000000000000..a696fac7562c
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Dashboards/dashboard-Threat_Hunting.json
@@ -0,0 +1,518 @@
+{
+    "fromDate": "0001-01-01T00:00:00Z",
+    "fromDateLicense": "0001-01-01T00:00:00Z",
+    "id": "Threat Hunting",
+    "layout": [
+        {
+            "forceRange": false,
+            "h": 2,
+            "i": "9c1c65f0-050b-11ee-8890-e7fa67c22acb",
+            "id": "9c1c65f0-050b-11ee-8890-e7fa67c22acb",
+            "reflectDimensions": true,
+            "w": 4,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "incidents",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "391b3dce-2c2a-4f2d-8bb9-a34873ff9223",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-07T08:16:29.933539185Z",
+                "name": "Most Common Suspicious Tool Usage",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "groupBy": [
+                        "toolusagefound"
+                    ],
+                    "showOthers": true,
+                    "valuesFormat": "abbreviated"
+                },
+                "prevName": "Most Common Suspicious Tool Usage",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "type:\"Proactive Threat Hunting\" -toolusagefound:\"\"",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "pie"
+            },
+            "x": 0,
+            "y": 0
+        },
+        {
+            "forceRange": false,
+            "h": 2,
+            "i": "cf12a9b0-050b-11ee-8890-e7fa67c22acb",
+            "id": "cf12a9b0-050b-11ee-8890-e7fa67c22acb",
+            "reflectDimensions": true,
+            "w": 4,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "incidents",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "d21cf6af-032d-4dd2-8621-cd2256d7c1b5",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-07T08:17:55.628199525Z",
+                "name": "Top Users Involved In Suspicious Activity",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "groupBy": [
+                        "affectedusers"
+                    ],
+                    "valuesFormat": "abbreviated"
+                },
+                "prevName": "Top Hunten Attack Patterns",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "type:\"Proactive Threat Hunting\" -affectedusers:\"\"",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "pie"
+            },
+            "x": 8,
+            "y": 0
+        },
+        {
+            "forceRange": false,
+            "h": 4,
+            "i": "f2cf38f0-050b-11ee-8890-e7fa67c22acb",
+            "id": "f2cf38f0-050b-11ee-8890-e7fa67c22acb",
+            "reflectDimensions": true,
+            "w": 8,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "incidents",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 30,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "38e7fad3-7aed-41a7-8fbd-faa73de440b5",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-07T08:18:55.625697851Z",
+                "name": "Latest Threat Hunting Sessions",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "enablePagination": true,
+                    "tableColumns": [
+                        {
+                            "displayed": true,
+                            "isDefault": true,
+                            "key": "id",
+                            "width": 110
+                        },
+                        {
+                            "displayed": true,
+                            "isDefault": true,
+                            "key": "name",
+                            "width": 300
+                        },
+                        {
+                            "displayed": true,
+                            "isDefault": true,
+                            "key": "status",
+                            "width": 80
+                        },
+                        {
+                            "displayed": true,
+                            "isDefault": true,
+                            "key": "occurred",
+                            "width": 200
+                        }
+                    ]
+                },
+                "prevName": "Latest Threat Hunting Sessions",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "type:\"Proactive Threat Hunting\"",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "sort": [
+                    {
+                        "asc": false,
+                        "field": "id",
+                        "fieldType": ""
+                    }
+                ],
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "table"
+            },
+            "x": 0,
+            "y": 3
+        },
+        {
+            "forceRange": false,
+            "h": 4,
+            "i": "8fcbf940-050c-11ee-8890-e7fa67c22acb",
+            "id": "8fcbf940-050c-11ee-8890-e7fa67c22acb",
+            "reflectDimensions": true,
+            "w": 4,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "indicators",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "0001-01-01T00:00:00Z",
+                "name": "SDO Used In Hunting Sessions",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "tableColumns": [
+                        {
+                            "isDefault": true,
+                            "key": "indicator_type",
+                            "position": 1,
+                            "width": 120
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "value",
+                            "position": 2,
+                            "width": 300
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "score",
+                            "position": 4,
+                            "width": 120
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "firstSeen",
+                            "position": 5,
+                            "width": 275
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "lastSeen",
+                            "position": 6,
+                            "width": 275
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "timestamp",
+                            "position": 8,
+                            "width": 190
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "relatedIncCount",
+                            "position": 9,
+                            "width": 150
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "sourceBrands",
+                            "position": 12,
+                            "width": 175
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "sourceInstances",
+                            "position": 13,
+                            "width": 175
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "expirationStatus",
+                            "position": 14,
+                            "width": 175
+                        },
+                        {
+                            "isDefault": true,
+                            "key": "expiration",
+                            "position": 15,
+                            "width": 190
+                        }
+                    ]
+                },
+                "prevName": "",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "incident.type:\"Proactive Threat Hunting\" AND (type:Campaign or type:\"Intrusion Set\" or type:\"Threat Actor\" or type:Malware)",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 0,
+                "widgetType": "table"
+            },
+            "x": 8,
+            "y": 3
+        },
+        {
+            "forceRange": false,
+            "h": 1,
+            "i": "295bbda0-051e-11ee-b130-6992e92c4ea8",
+            "id": "295bbda0-051e-11ee-b130-6992e92c4ea8",
+            "reflectDimensions": true,
+            "w": 8,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "incidents",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "81242adf-2860-4155-8a3a-bd8707ec7611",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-07T10:29:17.426061511Z",
+                "name": "Threat Hunting Sessions Executed",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "valuesFormat": "abbreviated"
+                },
+                "prevName": "Total count of Threat Hunting Session Executed",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "tags:\"Threat Hunting\"",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "number"
+            },
+            "x": 0,
+            "y": 2
+        },
+        {
+            "forceRange": false,
+            "h": 2,
+            "i": "73b93760-051e-11ee-b130-6992e92c4ea8",
+            "id": "73b93760-051e-11ee-b130-6992e92c4ea8",
+            "reflectDimensions": true,
+            "w": 4,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "incidents",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "e9bde988-e523-40bc-837d-62c0aab15755",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-07T10:31:22.21854112Z",
+                "name": "Hosts Contains Suspicious Results",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "groupBy": [
+                        "affectedhosts"
+                    ],
+                    "showOthers": true,
+                    "valuesFormat": "abbreviated"
+                },
+                "prevName": "Hosts Contains Suspicious Results",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "tags:\"Threat Hunting\" -affectedhosts:\"\"",
+                "shouldCommit": false,
+                "size": 5,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "pie"
+            },
+            "x": 4,
+            "y": 0
+        },
+        {
+            "forceRange": false,
+            "h": 1,
+            "i": "7f3c1370-05e4-11ee-bc53-7b0c7e963407",
+            "id": "7f3c1370-05e4-11ee-bc53-7b0c7e963407",
+            "reflectDimensions": true,
+            "w": 4,
+            "widget": {
+                "Cache": null,
+                "cacheVersn": 0,
+                "category": "",
+                "commitMessage": "",
+                "created": "0001-01-01T00:00:00Z",
+                "dataType": "indicators",
+                "dateRange": {
+                    "fromDate": "0001-01-01T00:00:00Z",
+                    "fromDateLicense": "0001-01-01T00:00:00Z",
+                    "period": {
+                        "by": "",
+                        "byFrom": "days",
+                        "byTo": "",
+                        "field": "",
+                        "fromValue": 7,
+                        "toValue": null
+                    },
+                    "toDate": "0001-01-01T00:00:00Z"
+                },
+                "definitionId": "",
+                "fromServerVersion": "",
+                "id": "aa5930da-310d-4bc5-8115-4c77d0be8b79",
+                "isPredefined": false,
+                "itemVersion": "",
+                "modified": "2023-06-08T10:08:56.416795659Z",
+                "name": "Malicious Indicators Found During a Hunt",
+                "packID": "",
+                "packName": "",
+                "params": {
+                    "valuesFormat": "abbreviated"
+                },
+                "prevName": "Malicious Indicators Found During a Hunt",
+                "propagationLabels": [
+                    "all"
+                ],
+                "query": "tags:\"Hunting Session - Exist In Environment\"",
+                "shouldCommit": false,
+                "sizeInBytes": 0,
+                "toServerVersion": "",
+                "vcShouldIgnore": false,
+                "vcShouldKeepItemLegacyProdMachine": false,
+                "version": 1,
+                "widgetType": "number"
+            },
+            "x": 8,
+            "y": 2
+        }
+    ],
+    "name": "Threat Hunting",
+    "period": {
+        "by": "",
+        "byFrom": "days",
+        "byTo": "",
+        "field": "",
+        "fromValue": null,
+        "toValue": null
+    },
+    "toDate": "0001-01-01T00:00:00Z",
+    "version": -1,
+    "fromVersion": "6.9.0",
+    "description": "",
+    "isPredefined": true
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Campaign_to_hunt.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Campaign_to_hunt.json
new file mode 100644
index 000000000000..e884f9a73d15
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Campaign_to_hunt.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "campaigntohunt",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_campaigntohunt",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Campaign to hunt",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Cheat_Sheet.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Cheat_Sheet.json
new file mode 100644
index 000000000000..e3a9e1c08aaf
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Cheat_Sheet.json
@@ -0,0 +1,28 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "cheatsheet",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_cheatsheet",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Cheat Sheet",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "template":"# XQL Queries\n\n### Search for CMD.EXE executions\n_You can change the timeframe by replacing the **\"7d\"** value_\n```\nconfig case_sensitive = false timeframe = 7d \n| dataset = xdr_data \n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\n| filter action_process_image_name contains \"cmd.exe\" or action_file_name contains \"cmd.exe\"\n| fields action_process_image_name as procname, action_process_image_sha256 as procsha256, action_process_image_path as\nprocpath, action_file_name as filename, action_file_sha256 as filesha256, action_file_path as filepath, event_type as eventtype,\nevent_sub_type as event_sub_type, action_process_image_md5 as procmd5, action_file_md5 as filemd5, agent_id as EndpointID\n```\n\n### All files created by the user \"X\" in the downloads folder\n_Replace **\"X\"** with user name \nYou can change the timeframe by replacing the **\"7d\"** value_\n```\nconfig case_sensitive = false timeframe = 2d\n| dataset = xdr_data\n| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW and action_file_path contains \"downloads\" and actor_effective_username contains \"X\"\n| dedup action_file_path , action_file_sha256\n| fields actor_effective_username , agent_hostname , action_file_path , action_file_sha256 , actor_process_command_line\n```\n\n### All hosts that the user \"X\" logged in to \n_Replace **\"X\"** with user name\nYou can change the timeframe by replacing the **\"7d\"** value_\n```\nconfig case_sensitive = false timeframe = 7d\n | dataset = xdr_data \n | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 \n | alter Logon_Type = arrayindex(regextract(action_evtlog_message, \"Logon Type:.*?(\\d+)\\r\\n\"),0), User_Name = arrayindex(regextract(action_evtlog_message,\"New Logon:\\r\\n.*\\r\\n.*?Account Name:.*?(\\w.*?)\\r\\n\"),0), Domain = arrayindex(regextract(action_evtlog_message, \"New Logon:\\r\\n.*\\r\\n.*\\r\\n.Account Domain:.*?(\\w.*)\\r\\n\"),0), Source_IP = arrayindex(regextract(action_evtlog_message, \"Source Network Address:.*?(\\d+\\.\\d+\\.\\d+\\.\\d+)\\r\\n\"),0), Process_Name = arrayindex(regextract(action_evtlog_message, \"Process Name:.*?(\\w.*)\\r\\n\"),0), Host_Name = arrayindex(regextract(action_evtlog_message, \"Workstation Name:.*?(\\w.*)\\r\\n\"),0)\n| filter lowercase(User_Name) contains lowercase(\"X\") // change the username\n| fields User_Name, Host_Name, Domain, Logon_Type, Source_IP, Process_Name, action_evtlog_message as Raw_Message \n| comp count() as counter by Host_Name, Source_IP , Logon_Type \n```",
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Choose_SDO_To_Hunt_for.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Choose_SDO_To_Hunt_for.json
new file mode 100644
index 000000000000..5d4dd47bf85c
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Choose_SDO_To_Hunt_for.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "choosesdotohuntfor",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_choosesdotohuntfor",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Choose SDO To Hunt for",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Freestyle_Hunt.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Freestyle_Hunt.json
new file mode 100644
index 000000000000..92a9788d7aa1
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Freestyle_Hunt.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "freestylehunt",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_freestylehunt",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Freestyle Hunt",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Endpoint_Enrichment.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Endpoint_Enrichment.json
new file mode 100644
index 000000000000..9255e1b6eb40
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Endpoint_Enrichment.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "huntingendpointenrichment",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_huntingendpointenrichment",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Hunting Endpoint Enrichment",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Session_Status.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Session_Status.json
new file mode 100644
index 000000000000..4c54c8c237b5
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Session_Status.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "huntingsessionstatus",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_huntingsessionstatus",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Hunting Session Status",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "shortText",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Feed.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Feed.json
new file mode 100644
index 000000000000..c0475510cb0a
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Feed.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "sdofeed",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_sdofeed",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "SDO Feed",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Name.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Name.json
new file mode 100644
index 000000000000..b682249b766c
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Name.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "sdoname",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_sdoname",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "SDO Name",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "markdown",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Tools_To_Hunt_For.json b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Tools_To_Hunt_For.json
new file mode 100644
index 000000000000..f3049a045868
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Tools_To_Hunt_For.json
@@ -0,0 +1,27 @@
+{
+    "associatedToAll": true,
+    "caseInsensitive": true,
+    "cliName": "toolstohuntfor",
+    "closeForm": false,
+    "content": true,
+    "editForm": true,
+    "group": 0,
+    "hidden": false,
+    "id": "incident_toolstohuntfor",
+    "isReadOnly": false,
+    "locked": false,
+    "name": "Tools To Hunt For",
+    "neverSetAsRequired": false,
+    "openEnded": false,
+    "ownerOnly": false,
+    "required": false,
+    "sla": 0,
+    "system": false,
+    "threshold": 72,
+    "type": "tagsSelect",
+    "unmapped": false,
+    "unsearchable": true,
+    "useAsKpi": false,
+    "version": -1,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/IncidentTypes/incidenttype-Proactive_Threat_Hunting.json b/Packs/ProactiveThreatHunting/IncidentTypes/incidenttype-Proactive_Threat_Hunting.json
new file mode 100644
index 000000000000..27701bfd2977
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/IncidentTypes/incidenttype-Proactive_Threat_Hunting.json
@@ -0,0 +1,28 @@
+{
+    "autorun": true,
+    "color": "#F8E7A5",
+    "days": 0,
+    "daysR": 0,
+    "default": false,
+    "detached": false,
+    "disabled": false,
+    "extractSettings": {
+        "fieldCliNameToExtractSettings": {},
+        "mode": "Specific"
+    },
+    "hours": 0,
+    "hoursR": 0,
+    "id": "Proactive Threat Hunting",
+    "layout": "Proactive Threat Hunting",
+    "locked": false,
+    "name": "Proactive Threat Hunting",
+    "onChangeRepAlg": 0,
+    "playbookId": "Proactive Threat Hunting",
+    "readonly": false,
+    "reputationCalc": 0,
+    "system": false,
+    "version": -1,
+    "weeks": 0,
+    "weeksR": 0,
+    "fromVersion": "6.9.0"
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/Layouts/layoutscontainer-Proactive_Threat_Hunting.json b/Packs/ProactiveThreatHunting/Layouts/layoutscontainer-Proactive_Threat_Hunting.json
new file mode 100644
index 000000000000..44a39e9d913c
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Layouts/layoutscontainer-Proactive_Threat_Hunting.json
@@ -0,0 +1,1386 @@
+{
+    "detailsV2": {
+        "tabs": [
+            {
+                "id": "summary",
+                "name": "Legacy Summary",
+                "type": "summary"
+            },
+            {
+                "id": "caseinfoid",
+                "name": "Evidence",
+                "sections": [
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-field-changed-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8",
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Updates For The Hunter",
+                        "static": false,
+                        "type": "notes",
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "h": 4,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-33264160-09c0-11ee-8f72-f32dc12d5a8f",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Evidence Results",
+                        "sort": {
+                            "asc": false,
+                            "field": "description"
+                        },
+                        "static": false,
+                        "type": "evidence",
+                        "w": 2,
+                        "x": 0,
+                        "y": 2
+                    },
+                    {
+                        "h": 4,
+                        "i": "caseinfoid-b0fe00d0-2fb0-11ee-a284-cde109092515",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Instructions",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 1,
+                        "x": 2,
+                        "y": 2
+},
+					{
+						"displayType": "CARD",
+						"h": 2,
+						"hideName": false,
+						"i": "caseinfoid-325fd1a0-724e-11ee-b9de-abf403278027",
+						"items": [
+							{
+								"endCol": 2,
+								"fieldId": "closenotes",
+								"height": 22,
+								"id": "4b32a590-724e-11ee-b9de-abf403278027",
+								"index": 0,
+								"sectionItemType": "field",
+								"startCol": 0
+							}
+						],
+						"maxW": 3,
+						"minH": 1,
+						"moved": false,
+						"name": "Close Investigation Notes",
+						"static": false,
+						"w": 3,
+						"x": 0,
+						"y": 6
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "filters": [
+                    [
+                        {
+                            "ignoreCase": false,
+                            "left": {
+                                "isContext": true,
+                                "value": {
+                                    "simple": "sdoname"
+                                }
+                            },
+                            "operator": "isNotEmpty",
+                            "right": null,
+                            "type": "markdown"
+                        }
+                    ]
+                ],
+                "hidden": false,
+                "id": "lsqweemtuk",
+                "name": "Hunt Results",
+                "sections": [
+                    {
+                        "description": "The hunted SDO details. These details include the SDO's name, source feed, as well as any associated attack patterns and related tools. It's important to note that the hunt will only cover attack patterns and techniques that have relevant tool data from the existing Threat Intelligence Management (TIM) feeds",
+                        "displayType": "CARD",
+                        "h": 3,
+                        "hideName": false,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-d2cabf40-bcf7-11ed-b6eb-39368307a439",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "sdoname",
+                                "height": 106,
+                                "id": "0aa3c270-09bc-11ee-9e2b-251d921ea3e1",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-d2cabf40-bcf7-11ed-b6eb-39368307a439",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "sdofeed",
+                                "height": 106,
+                                "id": "950b2600-14c6-11ee-b61f-5f6ef40adff4",
+                                "index": 1,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-d2cabf40-bcf7-11ed-b6eb-39368307a439",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "tools",
+                                "height": 53,
+                                "id": "29fbafb0-d1f0-11ed-acc6-b384b0c94da3",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-d2cabf40-bcf7-11ed-b6eb-39368307a439",
+                                "sectionItemType": "field",
+                                "startCol": 1
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "attackpatterns",
+                                "height": 53,
+                                "id": "26f94520-d1f0-11ed-acc6-b384b0c94da3",
+                                "index": 2,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-d2cabf40-bcf7-11ed-b6eb-39368307a439",
+                                "sectionItemType": "field",
+                                "startCol": 1
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Hunting Hypothesis - SDO Details",
+                        "static": false,
+                        "w": 2,
+                        "x": 0,
+                        "y": 2
+                    },
+                    {
+                        "description": "A summary of the hunt results including tool usage found, affected hosts and affected users",
+                        "displayType": "CARD",
+                        "h": 2,
+                        "hideName": false,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-7d826ee0-d1d6-11ed-b353-b1e63aacf41c",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "toolusagefound",
+                                "height": 53,
+                                "id": "d36d36c0-04f6-11ee-b4d9-19f1ef96b1ee",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-7d826ee0-d1d6-11ed-b353-b1e63aacf41c",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "affectedhosts",
+                                "height": 53,
+                                "id": "50637f10-09e6-11ee-abc4-2b5a1ddfcac7",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-7d826ee0-d1d6-11ed-b353-b1e63aacf41c",
+                                "sectionItemType": "field",
+                                "startCol": 1
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "affectedusers",
+                                "height": 53,
+                                "id": "2804c340-0a7b-11ee-83e6-29d08fecc6d3",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-7d826ee0-d1d6-11ed-b353-b1e63aacf41c",
+                                "sectionItemType": "field",
+                                "startCol": 2
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "SDO Hunt Results - Summary",
+                        "static": false,
+                        "w": 2,
+                        "wrapLabels": false,
+                        "x": 0,
+                        "y": 5
+                    },
+                    {
+                        "description": "IOCs to search in the hunt",
+                        "h": 3,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-c990b6e0-0460-11ee-8ee6-8b736c56904f",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Hunting Hypothesis - SDO Related IOCs",
+                        "query": "tags:\"Hunting Session\"",
+                        "queryType": "input",
+                        "static": false,
+                        "type": "indicators",
+                        "w": 1,
+                        "x": 2,
+                        "y": 2
+                    },
+                    {
+                        "description": "IOCs found during the hunt",
+                        "h": 8,
+                        "i": "caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fd726570-09d9-11ee-816a-29823d8f2014",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Detected IOCs",
+                        "query": "tags:\"Hunting Session - Exist In Environment\"",
+                        "queryType": "input",
+                        "static": false,
+                        "type": "indicators",
+                        "w": 1,
+                        "x": 2,
+                        "y": 5
+                    },
+                    {
+                        "description": "",
+                        "displayType": "CARD",
+                        "h": 3,
+                        "hideItemTitleOnlyOne": false,
+                        "hideName": true,
+                        "i": "caseinfoid-field-changed-caseinfoid-1e1fa8e5-2083-11ee-8b39-a7ebb8a31864",
+                        "items": [
+                            {
+                                "endCol": 4,
+                                "fieldId": "suspiciousexecutionsfound",
+                                "height": 106,
+                                "id": "714751f0-2086-11ee-8b39-a7ebb8a31864",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Suspicious",
+                        "static": false,
+                        "w": 2,
+                        "wrapLabels": false,
+                        "x": 0,
+                        "y": 7
+                    },
+                    {
+                        "description": "This section displays the comparison results between malicious tool patterns and command-line arguments found within the environment.",
+                        "displayType": "CARD",
+                        "h": 3,
+                        "hideName": true,
+                        "i": "caseinfoid-field-changed-caseinfoid-25d429d5-2083-11ee-8b39-a7ebb8a31864",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "stringsimilarityresults",
+                                "height": 106,
+                                "id": "25d429d2-2083-11ee-8b39-a7ebb8a31864",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-7d826ee0-d1d6-11ed-b353-b1e63aacf41c",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "SDO Hunt Results",
+                        "static": false,
+                        "w": 2,
+                        "wrapLabels": false,
+                        "x": 0,
+                        "y": 10
+                    },
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-field-changed-caseinfoid-04121060-2096-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Updates For The Hunter",
+                        "static": false,
+                        "type": "notes",
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "filters": [
+                    [
+                        {
+                            "ignoreCase": false,
+                            "left": {
+                                "isContext": true,
+                                "value": {
+                                    "simple": "huntingsessionstatus"
+                                }
+                            },
+                            "operator": "isNotEmpty",
+                            "right": null,
+                            "type": "shortText"
+                        }
+                    ]
+                ],
+                "hidden": false,
+                "id": "fvtmv2oyuw",
+                "name": "Investigation \u0026 Response",
+                "sections": [
+                    {
+                        "description": "Upon executing a entity enrichment, the results will be promptly displayed in this section.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 6,
+                                "fieldId": "endpointsdetails",
+                                "height": 44,
+                                "id": "1f477c20-1403-11ee-85c9-5b605042f1e1",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "usersdetails",
+                                "height": 44,
+                                "id": "1d661c80-1404-11ee-a9af-a9d9f3be4779",
+                                "index": 1,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "relatedalerts",
+                                "height": 44,
+                                "id": "e5f60f70-140e-11ee-a9af-a9d9f3be4779",
+                                "index": 2,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Entity Enrichment",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 6
+                    },
+                    {
+                        "description": "Set of post-hunting actions. There is a manual Collection task before the actual remediation. Executing a new action will abort the previous one, if hasn't done yet.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                        "items": [
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Entity Enrichment"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "91a70bf0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 0,
+                                "name": "Entity Enrichment",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Execute Query"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "74341230-14c0-11ee-985b-5d9798906d26",
+                                "index": 1,
+                                "name": "Execute Custom Query",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Endpoint Isolation"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "a60e1cb0-2096-11ee-8b39-a7ebb8a31864",
+                                "index": 2,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "name": "Isolate Endpoint",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Indicators"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "92b065a0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 4,
+                                "name": "Block IOCs",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Account"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "23f8b020-0ec9-11ee-a51d-a990e3e96055",
+                                "index": 4,
+                                "name": "Block Account",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Quarantine File"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "5b971bd0-2499-11ee-8af3-f160d3812173",
+                                "index": 5,
+                                "name": "Quarantine File",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "closeNotes": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    },
+                                    "closeReason": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    }
+                                },
+                                "buttonClass": "success",
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "907087c0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 6,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "name": "Close Hunting Session",
+                                "scriptId": "Builtin|||closeInvestigation",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "endpointisolationstatus",
+                                "height": 53,
+                                "id": "b785d850-0ab3-11ee-b966-55e2f7a73dc9",
+                                "index": 7,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "userblockstatus",
+                                "height": 53,
+                                "id": "51929c50-0ee0-11ee-9be8-03c60dac9e17",
+                                "index": 8,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "blockindicatorsstatus",
+                                "height": 53,
+                                "id": "f057cf80-0a1d-11ee-94e8-b97b8109133e",
+                                "index": 9,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Actions",
+                        "static": false,
+                        "w": 1,
+                        "x": 1,
+                        "y": 2
+                    },
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-4fcf36a0-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Updates For The Hunter",
+                        "static": false,
+                        "type": "notes",
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "description": "Follow the instruction to build and execute your hunting query.",
+                        "h": 4,
+                        "i": "caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-5bbc3120-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Instructions",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 1,
+                        "x": 2,
+                        "y": 2
+                    },
+                    {
+                        "description": "Upon executing a custom query, the results will be promptly displayed in this section.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideItemTitleOnlyOne": true,
+                        "hideName": false,
+                        "i": "caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-333e7890-2480-11ee-a551-4de127fb8d67",
+                        "items": [
+                            {
+                                "endCol": 2,
+                                "fieldId": "customqueryresults",
+                                "height": 106,
+                                "id": "68e0f1c0-249a-11ee-b86a-459fde83cad3",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Custom Query Results",
+                        "static": false,
+                        "w": 1,
+                        "x": 0,
+                        "y": 2
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "filters": [
+                    [
+                        {
+                            "ignoreCase": false,
+                            "left": {
+                                "isContext": true,
+                                "value": {
+                                    "simple": "freestylehunt"
+                                }
+                            },
+                            "operator": "isEqualString",
+                            "right": {
+                                "isContext": false,
+                                "value": {
+                                    "simple": "True"
+                                }
+                            },
+                            "type": "shortText"
+                        }
+                    ]
+                ],
+                "hidden": false,
+                "id": "loos7lrdto",
+                "name": "Freestyle Hunting",
+                "sections": [
+                    {
+                        "description": "Upon executing a entity enrichment, the results will be promptly displayed in this section.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 6,
+                                "fieldId": "endpointsdetails",
+                                "height": 44,
+                                "id": "1f477c20-1403-11ee-85c9-5b605042f1e1",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "usersdetails",
+                                "height": 44,
+                                "id": "1d661c80-1404-11ee-a9af-a9d9f3be4779",
+                                "index": 1,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "relatedalerts",
+                                "height": 44,
+                                "id": "e5f60f70-140e-11ee-a9af-a9d9f3be4779",
+                                "index": 2,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Entity Enrichment",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 6
+                    },
+                    {
+                        "description": "Set of post-hunting actions. There is a manual Collection task before the actual remediation. Executing a new action will abort the previous one, if hasn't done yet.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                        "items": [
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Entity Enrichment"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "91a70bf0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 0,
+                                "name": "Entity Enrichment",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Search And Block Software - Generic"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "09b7c210-314b-11ee-9036-1938f862dddc",
+                                "index": 1,
+                                "name": "Search And Block Software",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Execute Query"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "74341230-14c0-11ee-985b-5d9798906d26",
+                                "index": 2,
+                                "name": "Execute Custom Query",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Endpoint Isolation"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "a60e1cb0-2096-11ee-8b39-a7ebb8a31864",
+                                "index": 2,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "name": "Isolate Endpoint",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Indicators"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "92b065a0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 3,
+                                "name": "Upload \u0026 Block IOCs",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Account"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "23f8b020-0ec9-11ee-a51d-a990e3e96055",
+                                "index": 4,
+                                "name": "Block Account",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Quarantine File"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "5b971bd0-2499-11ee-8af3-f160d3812173",
+                                "index": 5,
+                                "name": "Quarantine File",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "closeNotes": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    },
+                                    "closeReason": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    }
+                                },
+                                "buttonClass": "success",
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "907087c0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 6,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "name": "Close Hunting Session",
+                                "scriptId": "Builtin|||closeInvestigation",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "endpointisolationstatus",
+                                "height": 53,
+                                "id": "b785d850-0ab3-11ee-b966-55e2f7a73dc9",
+                                "index": 7,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "userblockstatus",
+                                "height": 53,
+                                "id": "51929c50-0ee0-11ee-9be8-03c60dac9e17",
+                                "index": 8,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "blockindicatorsstatus",
+                                "height": 53,
+                                "id": "f057cf80-0a1d-11ee-94e8-b97b8109133e",
+                                "index": 9,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Actions",
+                        "static": false,
+                        "w": 1,
+                        "x": 1,
+                        "y": 2
+                    },
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-4fcf36a0-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Updates For The Hunter",
+                        "static": false,
+                        "type": "notes",
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "description": "Follow the instruction to build and execute your hunting query.",
+                        "h": 4,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-5bbc3120-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Query Instructions",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 1,
+                        "x": 2,
+                        "y": 2
+                    },
+                    {
+                        "description": "Upon executing a custom query, the results will be promptly displayed in this section.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideItemTitleOnlyOne": true,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-field-changed-caseinfoid-333e7890-2480-11ee-a551-4de127fb8d67",
+                        "items": [
+                            {
+                                "endCol": 2,
+                                "fieldId": "customqueryresults",
+                                "height": 106,
+                                "id": "68e0f1c0-249a-11ee-b86a-459fde83cad3",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Custom Query Results",
+                        "static": false,
+                        "w": 1,
+                        "x": 0,
+                        "y": 2
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "filters": [
+                    [
+                        {
+                            "ignoreCase": false,
+                            "left": {
+                                "isContext": true,
+                                "value": {
+                                    "simple": "huntingsessionstatus"
+                                }
+                            },
+                            "operator": "isNotEmpty",
+                            "right": null,
+                            "type": "shortText"
+                        }
+                    ]
+                ],
+                "hidden": true,
+                "id": "upjje5nuji",
+                "name": "Investigation \u0026 Response copy",
+                "sections": [
+                    {
+                        "description": "To get entities details, click \"Entity Enrichment\" in the actions section.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 6,
+                                "fieldId": "endpointsdetails",
+                                "height": 44,
+                                "id": "1f477c20-1403-11ee-85c9-5b605042f1e1",
+                                "index": 0,
+                                "listId": "caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-51034f40-09eb-11ee-abc4-2b5a1ddfcac7",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "usersdetails",
+                                "height": 44,
+                                "id": "1d661c80-1404-11ee-a9af-a9d9f3be4779",
+                                "index": 1,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 6,
+                                "fieldId": "relatedalerts",
+                                "height": 44,
+                                "id": "e5f60f70-140e-11ee-a9af-a9d9f3be4779",
+                                "index": 2,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Entity Enrichment",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 9
+                    },
+                    {
+                        "description": "Set of post-hunting actions. There is a manual Collection task before the actual remediation. Executing a new action will abort the previous one, if hasn't done yet.",
+                        "displayType": "CARD",
+                        "h": 4,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                        "items": [
+                            {
+                                "args": {
+                                    "closeNotes": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    },
+                                    "closeReason": {
+                                        "simple": "",
+                                        "userMarkedRequired": true
+                                    }
+                                },
+                                "buttonClass": "success",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "907087c0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 0,
+                                "name": "Close Hunting Session",
+                                "scriptId": "Builtin|||closeInvestigation",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Entity Enrichment"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "91a70bf0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 1,
+                                "name": "Entity Enrichment",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Execute Query"
+                                    }
+                                },
+                                "buttonClass": "primary",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "74341230-14c0-11ee-985b-5d9798906d26",
+                                "index": 2,
+                                "name": "Execute Custom Query",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Indicators"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "92b065a0-0a1c-11ee-94e8-b97b8109133e",
+                                "index": 3,
+                                "name": "Block IOCs",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "a60e1cb0-2096-11ee-8b39-a7ebb8a31864",
+                                "index": 4,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "args": {
+                                    "name": {
+                                        "simple": "Proactive Threat Hunting - Block Account"
+                                    }
+                                },
+                                "buttonClass": "error",
+                                "endCol": 4,
+                                "fieldId": "",
+                                "height": 53,
+                                "id": "23f8b020-0ec9-11ee-a51d-a990e3e96055",
+                                "index": 5,
+                                "name": "Block Account",
+                                "scriptId": "Builtin|||setPlaybook",
+                                "sectionItemType": "button",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 1,
+                                "fieldId": "endpointisolationstatus",
+                                "height": 53,
+                                "id": "b785d850-0ab3-11ee-b966-55e2f7a73dc9",
+                                "index": 6,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "endCol": 2,
+                                "fieldId": "userblockstatus",
+                                "height": 53,
+                                "id": "51929c50-0ee0-11ee-9be8-03c60dac9e17",
+                                "index": 7,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            },
+                            {
+                                "dropEffect": "move",
+                                "endCol": 2,
+                                "fieldId": "blockindicatorsstatus",
+                                "height": 53,
+                                "id": "f057cf80-0a1d-11ee-94e8-b97b8109133e",
+                                "index": 8,
+                                "listId": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-field-changed-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-74d80420-0a1c-11ee-94e8-b97b8109133e",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Actions",
+                        "static": false,
+                        "w": 2,
+                        "x": 1,
+                        "y": 2
+                    },
+                    {
+                        "displayType": "CARD",
+                        "h": 3,
+                        "hideName": false,
+                        "i": "caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-caseinfoid-6d0c67f0-14c0-11ee-985b-5d9798906d26",
+                        "items": [
+                            {
+                                "dropEffect": "move",
+                                "endCol": 4,
+                                "fieldId": "customqueryresults",
+                                "height": 106,
+                                "id": "cab9bab0-14c0-11ee-985b-5d9798906d26",
+                                "index": 0,
+                                "listId": "caseinfoid-6d0c67f0-14c0-11ee-985b-5d9798906d26",
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Custom Query Results",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 6
+                    },
+                    {
+                        "h": 2,
+                        "i": "caseinfoid-4fcf36a0-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Query Status ",
+                        "static": false,
+                        "type": "notes",
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "description": "Follow the instruction to build and execute your hunting query.",
+                        "h": 4,
+                        "i": "caseinfoid-5bbc3120-2095-11ee-8b39-a7ebb8a31864",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Query Instructions",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 1,
+                        "x": 0,
+                        "y": 2
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "hidden": true,
+                "id": "ifeizyi4oe",
+                "name": "Control Panel copy",
+                "sections": [
+                    {
+                        "h": 3,
+                        "i": "caseinfoid-lsqweemtuk-caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-field-changed-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8",
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Query Status ",
+                        "static": false,
+                        "type": "notes",
+                        "w": 1,
+                        "x": 2,
+                        "y": 0
+                    },
+                    {
+                        "description": "Follow the instruction to build and execute your hunting query.",
+                        "displayType": "ROW",
+                        "h": 3,
+                        "i": "caseinfoid-lsqweemtuk-caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-field-changed-caseinfoid-field-changed-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8",
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Query Instructions",
+                        "static": false,
+                        "type": "workplan",
+                        "w": 2,
+                        "x": 0,
+                        "y": 0
+                    },
+                    {
+                        "h": 3,
+                        "i": "caseinfoid-lsqweemtuk-caseinfoid-field-changed-caseinfoid-lsqweemtuk-caseinfoid-lsqweemtuk-caseinfoid-fvtmv2oyuw-caseinfoid-fvtmv2oyuw-lsqweemtuk-caseinfoid-33264160-09c0-11ee-8f72-f32dc12d5a8f",
+                        "items": [],
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Evidence Results",
+                        "sort": {
+                            "asc": false,
+                            "field": "description"
+                        },
+                        "static": false,
+                        "type": "evidence",
+                        "w": 3,
+                        "x": 0,
+                        "y": 3
+                    }
+                ],
+                "type": "custom"
+            },
+            {
+                "hidden": false,
+                "id": "warRoom",
+                "name": "War Room",
+                "type": "warRoom"
+            },
+            {
+                "hidden": false,
+                "id": "workPlan",
+                "name": "Work Plan",
+                "type": "workPlan"
+            },
+            {
+                "hidden": true,
+                "id": "evidenceBoard",
+                "name": "Evidence Board",
+                "type": "evidenceBoard"
+            },
+            {
+                "hidden": true,
+                "id": "relatedIncidents",
+                "name": "Related Incidents",
+                "type": "relatedIncidents"
+            },
+            {
+                "hidden": true,
+                "id": "canvas",
+                "name": "Canvas",
+                "type": "canvas"
+},
+            {
+                "hidden": false,
+                "id": "cis1gmcroi",
+                "name": "Cheat Sheet",
+                "sections": [
+                    {
+                        "displayType": "ROW",
+                        "h": 10,
+                        "hideName": true,
+                        "i": "caseinfoid-cis1gmcroi-caseinfoid-7d05e0a0-56c4-11ee-9a16-f746601c51f2",
+                        "items": [
+                            {
+                                "endCol": 6,
+                                "fieldId": "cheatsheet",
+                                "height": 44,
+                                "id": "7fce2860-56c4-11ee-9a16-f746601c51f2",
+                                "index": 0,
+                                "sectionItemType": "field",
+                                "startCol": 0
+                            }
+                        ],
+                        "maxH": null,
+                        "maxW": 3,
+                        "minH": 1,
+                        "moved": false,
+                        "name": "Cheat Sheet",
+                        "static": false,
+                        "w": 3,
+                        "x": 0,
+                        "y": 0
+                    }
+                ],
+                "type": "custom"
+            }
+        ]
+    },
+    "edit": {
+        "sections": [
+            {
+                "description": "",
+                "fields": [
+                    {
+                        "fieldId": "incident_name",
+                        "isVisible": true
+                    },
+                    {
+                        "fieldId": "incident_owner",
+                        "isVisible": true
+                    },
+                    {
+                        "fieldId": "incident_type",
+                        "isVisible": true
+                    },
+                    {
+                        "fieldId": "incident_tags",
+                        "isVisible": true
+                    }
+                ],
+                "isVisible": true,
+                "name": "Basic Information",
+                "query": null,
+                "queryType": "",
+                "readOnly": false,
+                "type": ""
+            }
+        ]
+    },
+    "group": "incident",
+    "id": "Proactive Threat Hunting",
+    "name": "Proactive Threat Hunting",
+    "system": false,
+    "version": -1,
+    "fromVersion": "6.9.0",
+    "description": ""
+}
\ No newline at end of file
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting.yml
new file mode 100644
index 000000000000..273baceac503
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting.yml
@@ -0,0 +1,557 @@
+id: Proactive Threat Hunting
+version: -1
+name: Proactive Threat Hunting
+description: |-
+  This playbook is the main playbook of the 'Proactive Threat Hunting' pack. It automatically runs during a new hunting session and guides the threat hunter through the session based on the selected hunting method. The available hunting methods are:
+
+  - SDO Hunt: Constructs the hunting hypothesis based on SDO indicators (Campaign, Malware, Intrusion Set).
+  - Freestyle Hunt: Allows the threat hunter to provide their own queries and IOCs for hunting.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 48846196-19b9-45b1-8518-ab54ed93f228
+    type: start
+    task:
+      id: 48846196-19b9-45b1-8518-ab54ed93f228
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "28"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": -120
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 5e812120-6fcc-422d-82f2-f0be6d684bca
+    type: collection
+    task:
+      id: 5e812120-6fcc-422d-82f2-f0be6d684bca
+      version: -1
+      name: SDO hunt
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "41"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -200,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Our organization is compromised due to
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - simple: Campaign
+        - simple: Malware
+        - simple: Intrusion Set
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: General Hypothesis
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "28":
+    id: "28"
+    taskid: 55f7df93-7f3b-4b7d-85ac-e35c9c61280a
+    type: regular
+    task:
+      id: 55f7df93-7f3b-4b7d-85ac-e35c9c61280a
+      version: -1
+      name: Set incident tag
+      description: Change the properties of an incident.
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "42"
+    scriptarguments:
+      tags:
+        complex:
+          root: inputs.IncidentTag
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 10
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Block Indicators Status
+      output:
+        simple: Not Executed
+    - incidentfield: Endpoint Isolation Status
+      output:
+        simple: Not Executed
+    - incidentfield: User Block Status
+      output:
+        simple: Not Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "35":
+    id: "35"
+    taskid: d1fcbceb-f0d4-4716-847a-03a99ce8b89e
+    type: title
+    task:
+      id: d1fcbceb-f0d4-4716-847a-03a99ce8b89e
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 1180
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "41":
+    id: "41"
+    taskid: 768138da-2f6c-4719-8e8a-d221817fe82f
+    type: playbook
+    task:
+      id: 768138da-2f6c-4719-8e8a-d221817fe82f
+      version: -1
+      name: Proactive Threat Hunting - SDO Threat Hunting
+      playbookName: Proactive Threat Hunting - SDO Threat Hunting
+      type: playbook
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "35"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      IOCsFoundTag:
+        simple: Hunting Session - Exist In Environment
+      IOCsToSearchTag:
+        simple: Hunting Session
+      SDOName:
+        complex:
+          root: incident
+          accessor: sdoname
+      SDOType:
+        complex:
+          root: General Hypothesis.Answers
+          accessor: "0"
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": -510,
+          "y": 1010
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "42":
+    id: "42"
+    taskid: 6b95d466-9d56-4f1a-8829-3b1972077d66
+    type: condition
+    task:
+      id: 6b95d466-9d56-4f1a-8829-3b1972077d66
+      version: -1
+      name: Executed from indicator layout?
+      description: Checks if the incident was executed from the indicator layout.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "43"
+      "Yes":
+      - "41"
+    separatecontext: false
+    conditions:
+    - label: "Yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: incident
+                accessor: sdoname
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 170
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "43":
+    id: "43"
+    taskid: 5729a1c8-5911-4c26-8db4-14e638020822
+    type: regular
+    task:
+      id: 5729a1c8-5911-4c26-8db4-14e638020822
+      version: -1
+      name: Print message to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "44"
+    scriptarguments:
+      value:
+        simple: Kindly follow the  "Hunting Session Instructions" section to execute the threat hunting session.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 340
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "44":
+    id: "44"
+    taskid: db4cee47-2b68-401e-88ff-6e9b3f580b51
+    type: collection
+    task:
+      id: db4cee47-2b68-401e-88ff-6e9b3f580b51
+      version: -1
+      name: General hypothesis
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "45"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 510
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: I Want to hunt for
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - simple: SDO Indicator(Campaign/Intrusion Set/Malware)
+        - simple: Freestyle Hunt
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: I Want to hunt for
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "45":
+    id: "45"
+    taskid: ec471de0-f8bb-4391-8c31-ab18223eabe2
+    type: condition
+    task:
+      id: ec471de0-f8bb-4391-8c31-ab18223eabe2
+      version: -1
+      name: Hunting method chosen
+      description: Choose hunting method based on the collection task.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      Freestyle:
+      - "47"
+      SDO:
+      - "5"
+    separatecontext: false
+    conditions:
+    - label: SDO
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: I Want to hunt for.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: SDO Indicator(Campaign/Intrusion Set/Malware)
+          ignorecase: true
+    - label: Freestyle
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: I Want to hunt for.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: Freestyle Hunt
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 670
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "47":
+    id: "47"
+    taskid: 6169fd8b-1dbc-4070-8ba3-6cb757eb4709
+    type: regular
+    task:
+      id: 6169fd8b-1dbc-4070-8ba3-6cb757eb4709
+      version: -1
+      name: Set freestyle hunt true
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "48"
+    scriptarguments:
+      freestylehunt:
+        simple: "True"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 330,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "48":
+    id: "48"
+    taskid: 083b81ce-0303-4fa3-8a49-b960f18c4829
+    type: regular
+    task:
+      id: 083b81ce-0303-4fa3-8a49-b960f18c4829
+      version: -1
+      name: Print message to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "35"
+    scriptarguments:
+      value:
+        simple: Freestyle hunt session executed. Kindly navigate to the "Freestyle hunt" to proceed.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 330,
+          "y": 1000
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "42_41_Yes": 0.58,
+      "45_5_SDO": 0.23
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1365,
+        "width": 1220,
+        "x": -510,
+        "y": -120
+      }
+    }
+  }
+inputs:
+- key: IncidentTag
+  value:
+    simple: Threat Hunting
+  required: false
+  description: A tag that will be attached to Threat Hunting incidents.
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 Days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The query execution script default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: |-
+    StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment.
+    Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
+  playbookInputQuery:
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account.yml
new file mode 100644
index 000000000000..666eecbd5930
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account.yml
@@ -0,0 +1,406 @@
+id: Proactive Threat Hunting - Block Account
+version: -1
+name: Proactive Threat Hunting - Block Account
+description: This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking a user specified by the analyst.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: d7417066-4771-4d97-8d7f-d88a6bad855e
+    type: start
+    task:
+      id: d7417066-4771-4d97-8d7f-d88a6bad855e
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "2"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -120
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 4bacea38-fadc-400b-896a-4b1e17995274
+    type: regular
+    task:
+      id: 4bacea38-fadc-400b-896a-4b1e17995274
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "7"
+    scriptarguments:
+      value:
+        simple: Block account procedure has executed. Follow the work plan to continue.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 10
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: User Block Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 884c68a6-6af0-438e-8303-f46f4b097166
+    type: collection
+    task:
+      id: 884c68a6-6af0-438e-8303-f46f4b097166
+      version: -1
+      name: Select account to block
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "4"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Select account to block
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedusers
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Select Account To Block
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 4a3f5cba-3a8d-442a-8845-2b09eb8408f1
+    type: condition
+    task:
+      id: 4a3f5cba-3a8d-442a-8845-2b09eb8408f1
+      version: -1
+      name: Has account to block?
+      description: Checks if there is an account to block.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "9"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Select Account To Block.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 500
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: ab1fa8ce-2617-4030-8229-8aaa4ec6053b
+    type: title
+    task:
+      id: ab1fa8ce-2617-4030-8229-8aaa4ec6053b
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 790a758e-3bd7-412b-8b50-56a16abe34bc
+    type: condition
+    task:
+      id: 790a758e-3bd7-412b-8b50-56a16abe34bc
+      version: -1
+      name: Executed from freestyle hunt?
+      description: Checks if the playbook was executed from the "Freestyle hunt" tab.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "3"
+      "yes":
+      - "8"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: incident
+                accessor: freestylehunt
+            iscontext: true
+          right:
+            value:
+              simple: "True"
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 170
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "8":
+    id: "8"
+    taskid: 21bb865d-52e4-4e8b-8e17-d69528cc7bb7
+    type: collection
+    task:
+      id: 21bb865d-52e4-4e8b-8e17-d69528cc7bb7
+      version: -1
+      name: Enter account name to block
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "9"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 870,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Enter Account Name To Block
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Enter Account Name To Block
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "9":
+    id: "9"
+    taskid: 011c057a-1ba9-4640-808f-20df4ff02101
+    type: playbook
+    task:
+      id: 011c057a-1ba9-4640-808f-20df4ff02101
+      version: -1
+      name: Block Account - Generic v2
+      playbookName: Block Account - Generic v2
+      type: playbook
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      Tag:
+        simple: Bad Account
+      UserVerification:
+        simple: "False"
+      Username:
+        complex:
+          root: Select Account To Block.Answers
+          accessor: "0"
+          transformers:
+          - operator: SetIfEmpty
+            args:
+              applyIfEmpty: {}
+              defaultValue:
+                value:
+                  simple: Enter Account Name To Block.Answers.0
+                iscontext: true
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 0
+    view: |-
+      {
+        "position": {
+          "x": 870,
+          "y": 670
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
+view: |-
+  {
+    "linkLabelsPosition": {
+      "4_5_#default#": 0.55,
+      "7_3_#default#": 0.43
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1025,
+        "width": 800,
+        "x": 450,
+        "y": -120
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account_README.md
new file mode 100644
index 000000000000..5a743d1ef409
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account_README.md
@@ -0,0 +1,37 @@
+This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking a user specified by the analyst.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Block Account - Generic v2
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* Print
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Block Account](../doc_files/Proactive_Threat_Hunting_-_Block_Account.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators.yml
new file mode 100644
index 000000000000..15c10374118d
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators.yml
@@ -0,0 +1,847 @@
+id: Proactive Threat Hunting - Block Indicators
+version: -1
+name: Proactive Threat Hunting - Block Indicators
+description: This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking indicators specified by the analyst.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 373d00c0-6e3b-4a0d-8fdb-fd7e4ff82acf
+    type: start
+    task:
+      id: 373d00c0-6e3b-4a0d-8fdb-fd7e4ff82acf
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "15"
+      - "8"
+      - "9"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -940
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: 13569f3d-eefd-4c99-8d9d-a169f732f1c7
+    type: regular
+    task:
+      id: 13569f3d-eefd-4c99-8d9d-a169f732f1c7
+      version: -1
+      name: Get indicators
+      description: |-
+        Searches Cortex XSOAR Indicators.
+
+        Searches for Cortex XSOAR indicators and returns the id, indicator_type, value, and score/verdict.
+
+        You can add additional fields from the indicators using the add_field_to_context argument.
+      scriptName: SearchIndicator
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      query:
+        simple: incident.id:${incident.id} tags:"Hunting Session - Exist In Environment"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 30,
+          "y": 100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Block Indicators Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 2c28f1e1-dbbd-41ed-8bcf-94075968d126
+    type: playbook
+    task:
+      id: 2c28f1e1-dbbd-41ed-8bcf-94075968d126
+      version: -1
+      name: Block Indicators - Generic v3
+      playbookName: Block Indicators - Generic v3
+      type: playbook
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      AutoBlockIndicators:
+        simple: "False"
+      AutoCommit:
+        simple: "No"
+      CustomBlockRule:
+        simple: "True"
+      CustomURLCategory:
+        simple: XSOAR Remediation - Malicious URLs
+      DomainToBlock:
+        complex:
+          root: foundIndicators
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: foundIndicators.indicator_type
+                iscontext: true
+              right:
+                value:
+                  simple: domain
+              ignorecase: true
+          accessor: value
+      EmailToBlock:
+        complex:
+          root: None
+          transformers:
+          - operator: uniq
+      FilesToBlock:
+        complex:
+          root: foundIndicators
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: foundIndicators.indicator_type
+                iscontext: true
+              right:
+                value:
+                  simple: file
+              ignorecase: true
+          accessor: value
+      IP:
+        complex:
+          root: foundIndicators
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: foundIndicators.indicator_type
+                iscontext: true
+              right:
+                value:
+                  simple: IP
+              ignorecase: true
+          accessor: value
+      InputEnrichment:
+        simple: "False"
+      MD5:
+        complex:
+          root: None
+          transformers:
+          - operator: uniq
+      RuleDirection:
+        simple: outbound
+      RuleName:
+        simple: XSOAR - Block Indicators playbook - ${incident.id}
+      SHA256:
+        complex:
+          root: None
+          transformers:
+          - operator: uniq
+      URL:
+        complex:
+          root: foundIndicators
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: foundIndicators.indicator_type
+                iscontext: true
+              right:
+                value:
+                  simple: url
+              ignorecase: true
+          accessor: value
+      UserVerification:
+        simple: "True"
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 270
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 08b09081-0f1c-42a0-8d02-9a58ac4088ca
+    type: title
+    task:
+      id: 08b09081-0f1c-42a0-8d02-9a58ac4088ca
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 440
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 9038c930-e180-482e-8b0f-583892205ba6
+    type: regular
+    task:
+      id: 9038c930-e180-482e-8b0f-583892205ba6
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "10"
+    scriptarguments:
+      value:
+        simple: Block indicators procedure has executed. Follow the work plan to continue.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -620
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 1e8e2819-875f-4dff-838f-e2be4f776c73
+    type: collection
+    task:
+      id: 1e8e2819-875f-4dff-838f-e2be4f776c73
+      version: -1
+      name: Which IOCs To Block?
+      description: Asking the user to select IOCs to block.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -260
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Which IOCs To Block?
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - simple: All IOCs that are related to the SDO
+        - simple: IOCs detected in my environment
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Which IOCs To Block?
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 1c5125f8-0ee3-4eba-82f4-cce0659f3e34
+    type: condition
+    task:
+      id: 1c5125f8-0ee3-4eba-82f4-cce0659f3e34
+      version: -1
+      name: Block only detected IOCs?
+      description: Checks the user response in the collection task "Which IOCs to block?".
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "7"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: Which IOCs To Block?.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value:
+              simple: IOCs detected in my environment
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: c3cce0f0-efa5-451e-805f-61c1aad85074
+    type: regular
+    task:
+      id: c3cce0f0-efa5-451e-805f-61c1aad85074
+      version: -1
+      name: Get indicators
+      description: |-
+        Searches Cortex XSOAR indicators.
+
+        Searches for Cortex XSOAR indicators and returns the id, indicator_type, value, and score/verdict.
+
+        You can add additional fields from the indicators using the add_field_to_context argument.
+      scriptName: SearchIndicator
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      query:
+        simple: incident.id:${incident.id} tags:"Hunting Session"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Block Indicators Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "8":
+    id: "8"
+    taskid: 5f157551-88c5-4df4-8754-672b18b2a6fd
+    type: regular
+    task:
+      id: 5f157551-88c5-4df4-8754-672b18b2a6fd
+      version: -1
+      name: Delete context to avoid duplications - foundIndicators
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: foundIndicators
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 880,
+          "y": -800
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "9":
+    id: "9"
+    taskid: fa3ec0b7-9d40-4f43-8855-64cd8bf4500c
+    type: regular
+    task:
+      id: fa3ec0b7-9d40-4f43-8855-64cd8bf4500c
+      version: -1
+      name: Delete context to avoid duplications - IOCs to block
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: Which IOCs To Block?
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 30,
+          "y": -800
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "10":
+    id: "10"
+    taskid: 01e94d39-b13c-40db-8732-af1a36b3a8eb
+    type: condition
+    task:
+      id: 01e94d39-b13c-40db-8732-af1a36b3a8eb
+      version: -1
+      name: Executed from freestyle hunt?
+      description: Checks if the playbook was executed from the Freestyle Hunt tab.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "11"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: incident
+                accessor: freestylehunt
+            iscontext: true
+          right:
+            value:
+              simple: "True"
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -450
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: fa0df08a-f415-4fc3-8e99-ef242f8e05ee
+    type: collection
+    task:
+      id: fa0df08a-f415-4fc3-8e99-ef242f8e05ee
+      version: -1
+      name: 'Upload a CSV file '
+      description: |
+        Creates a file (using the given data input or entry ID) and uploads it to the current investigation War Room.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "13"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": -260
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Please Upload a CSV file
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: attachments
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Please Upload a CSV file
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: 5e2137da-2a58-4950-8e7f-7759b14ba83d
+    type: regular
+    task:
+      id: 5e2137da-2a58-4950-8e7f-7759b14ba83d
+      version: -1
+      name: Extract Indicators From CSV
+      description: commands.local.cmd.extract.indicators
+      script: Builtin|||extractIndicators
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      entryID:
+        complex:
+          root: Please Upload a CSV file.Answers.0.[0]
+          accessor: EntryID
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": -100
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: bc1e2558-c767-4191-8951-e3ea835a86fa
+    type: playbook
+    task:
+      id: bc1e2558-c767-4191-8951-e3ea835a86fa
+      version: -1
+      name: Block Indicators - Generic v3
+      description: |+
+        This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
+
+        - Block URL - Generic v2
+        - Block Account - Generic v2
+        - Block IP - Generic v3
+        - Block File - Generic v2
+        - Block Email - Generic v2
+        - Block Domain - Generic v2
+
+      playbookName: Block Indicators - Generic v3
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      AutoBlockIndicators:
+        simple: "True"
+      AutoCommit:
+        simple: "No"
+      CustomBlockRule:
+        simple: "True"
+      CustomURLCategory:
+        simple: XSOAR Remediation - Malicious URLs
+      DomainToBlock:
+        complex:
+          root: ExtractedIndicators
+          accessor: Domain
+          transformers:
+          - operator: uniq
+      EmailToBlock:
+        complex:
+          root: DBotScore
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: DBotScore.Type
+                iscontext: true
+              right:
+                value:
+                  simple: email
+          - - operator: greaterThanOrEqual
+              left:
+                value:
+                  simple: DBotScore.Score
+                iscontext: true
+              right:
+                value:
+                  simple: "3"
+          accessor: Indicator
+          transformers:
+          - operator: uniq
+      FilesToBlock:
+        complex:
+          root: ExtractedIndicators
+          accessor: File
+          transformers:
+          - operator: uniq
+      IP:
+        complex:
+          root: ExtractedIndicators
+          accessor: IP
+          transformers:
+          - operator: uniq
+      InputEnrichment:
+        simple: "False"
+      RuleDirection:
+        simple: outbound
+      RuleName:
+        simple: XSOAR - Block Indicators playbook - ${incident.id}
+      URL:
+        complex:
+          root: DBotScore
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: DBotScore.Type
+                iscontext: true
+              right:
+                value:
+                  simple: url
+              ignorecase: true
+          - - operator: greaterThanOrEqual
+              left:
+                value:
+                  simple: DBotScore.Score
+                iscontext: true
+              right:
+                value:
+                  simple: "3"
+          accessor: Indicator
+          transformers:
+          - operator: uniq
+      UserVerification:
+        simple: "False"
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": 270
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 2dabf83a-5538-4a01-8c1c-f7565198bb1a
+    type: regular
+    task:
+      id: 2dabf83a-5538-4a01-8c1c-f7565198bb1a
+      version: -1
+      name: Delete context to avoid duplications - ExtractedIndicators
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      key:
+        simple: ExtractedIndicators
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -800
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "6_1_yes": 0.46,
+      "6_7_#default#": 0.59
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1445,
+        "width": 1250,
+        "x": 30,
+        "y": -940
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators_README.md
new file mode 100644
index 000000000000..a69a455eee46
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators_README.md
@@ -0,0 +1,39 @@
+This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking indicators specified by the analyst.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Block Indicators - Generic v3
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* Print
+* SearchIndicator
+* DeleteContext
+
+### Commands
+
+* extractIndicators
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Block Indicators](../doc_files/Proactive_Threat_Hunting_-_Block_Indicators.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation.yml
new file mode 100644
index 000000000000..6d0212e53ccb
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation.yml
@@ -0,0 +1,406 @@
+id: Proactive Threat Hunting - Endpoint Isolation
+version: -1
+name: Proactive Threat Hunting - Endpoint Isolation
+description: |
+  This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of isolating a host specified by the analyst.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: d8cb08d9-07e7-4890-8e1d-d62d3e3dee96
+    type: start
+    task:
+      id: d8cb08d9-07e7-4890-8e1d-d62d3e3dee96
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "2"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -130
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: aebc98b0-46ba-46e0-8239-b2b67e256c9b
+    type: playbook
+    task:
+      id: aebc98b0-46ba-46e0-8239-b2b67e256c9b
+      version: -1
+      name: Isolate Endpoint - Generic V2
+      description: |-
+        This playbook isolates a given endpoint using various endpoint product integrations.
+        Make sure to provide valid playbook inputs for the integration you are using.
+      playbookName: Isolate Endpoint - Generic V2
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      Endpoint_hostname:
+        complex:
+          root: Select Endpoint To Isolate.Answers
+          accessor: "0"
+          transformers:
+          - operator: SetIfEmpty
+            args:
+              applyIfEmpty: {}
+              defaultValue:
+                value:
+                  simple: Select Endpoint To Isolate.Answers.0
+                iscontext: true
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 860,
+          "y": 670
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 66dba88b-62e6-42e7-83a7-c27389fdb346
+    type: regular
+    task:
+      id: 66dba88b-62e6-42e7-83a7-c27389fdb346
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      value:
+        simple: Endpoint isolation procedure has executed. Follow the work plan to continue.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 0
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Endpoint Isolation Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 27544442-9757-4523-84f4-49181805f501
+    type: collection
+    task:
+      id: 27544442-9757-4523-84f4-49181805f501
+      version: -1
+      name: Select endpoint to isolate
+      description: Asking the user to select an endpoint to isolate.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Select Endpoint To Isolate
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedhosts
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Select Endpoint To Isolate
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 671ae69a-9ca5-438c-8dc0-e2ddd4b4a743
+    type: condition
+    task:
+      id: 671ae69a-9ca5-438c-8dc0-e2ddd4b4a743
+      version: -1
+      name: Has endpoint to isolate?
+      description: Checks the user's choice in the collection task "Select endpoint to isolate".
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "1"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Select Endpoint To Isolate.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 500
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: cde3f3de-0a07-487e-8107-9ebb7fd0cdf2
+    type: title
+    task:
+      id: cde3f3de-0a07-487e-8107-9ebb7fd0cdf2
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: c921585f-9766-41de-840d-3b0674bd438e
+    type: condition
+    task:
+      id: c921585f-9766-41de-840d-3b0674bd438e
+      version: -1
+      name: Executed from freestyle hunt?
+      description: Checks if the playbook was executed from the Freestyle Hunt tab.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "3"
+      "yes":
+      - "7"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: incident
+                accessor: freestylehunt
+            iscontext: true
+          right:
+            value:
+              simple: "True"
+          ignorecase: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: f765e0c8-4332-4b21-8571-7cf1268938e5
+    type: collection
+    task:
+      id: f765e0c8-4332-4b21-8571-7cf1268938e5
+      version: -1
+      name: Enter endpoint name to isolate
+      description: Asking the user to select an endpoint to isolate.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "1"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 860,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Enter Endpoint Name To Isolate
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg:
+        - {}
+        - simple: "No"
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Enter Endpoint Name To Isolate
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "4_5_#default#": 0.55,
+      "6_3_#default#": 0.53
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1035,
+        "width": 790,
+        "x": 450,
+        "y": -130
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation_README.md
new file mode 100644
index 000000000000..1ec186e5827a
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation_README.md
@@ -0,0 +1,38 @@
+This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of isolating a host specified by the analyst.
+
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+Isolate Endpoint - Generic V2
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+Print
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Endpoint Isolation](../doc_files/Proactive_Threat_Hunting_-_Endpoint_Isolation.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment.yml
new file mode 100644
index 000000000000..ab6c2203affd
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment.yml
@@ -0,0 +1,1241 @@
+id: Proactive Threat Hunting - Entity Enrichment
+version: -1
+name: Proactive Threat Hunting - Entity Enrichment
+description: This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of enriching information on hosts and users specified by the analyst.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 3c4fd296-88b2-43c2-8498-c6bc05dcbedb
+    type: start
+    task:
+      id: 3c4fd296-88b2-43c2-8498-c6bc05dcbedb
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "1"
+      - "28"
+      - "29"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 420,
+          "y": -90
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: 7a4ed82d-bb5e-4701-8bb3-4b8cfd310250
+    type: regular
+    task:
+      id: 7a4ed82d-bb5e-4701-8bb3-4b8cfd310250
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      value:
+        simple: Entity enrichment has executed. Follow the work plan and see the the results under "Investigation and Response" tab.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 820,
+          "y": 50
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Endpoints Details
+      output:
+        simple: ${shouldbeempty}
+    - incidentfield: Related Alerts
+      output:
+        simple: ${shouldbeempty}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 1b622dcf-2e0d-4063-8f76-e620a507d40f
+    type: regular
+    task:
+      id: 1b622dcf-2e0d-4063-8f76-e620a507d40f
+      version: -1
+      name: Endpoint enrichment
+      description: Returns information about an endpoint.
+      script: '|||endpoint'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      hostname:
+        complex:
+          root: Choose entities to enrich.Answers
+          accessor: "0"
+    separatecontext: false
+    continueonerror: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1180,
+          "y": 830
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: ecbda7db-7aaa-4ab6-838d-7821036829d7
+    type: condition
+    task:
+      id: ecbda7db-7aaa-4ab6-838d-7821036829d7
+      version: -1
+      name: Has endpoint enrichment results
+      description: Check if the automation "endpoint" outputs results.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "30"
+      "yes":
+      - "7"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Endpoint
+                accessor: Hostname
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1180,
+          "y": 990
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 2059eb16-79e8-43f4-86ef-1845e9cab36e
+    type: collection
+    task:
+      id: 2059eb16-79e8-43f4-86ef-1845e9cab36e
+      version: -1
+      name: Choose entities to enrich
+      description: Ask the user to select entities(users/endpoints) to enrich.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+      - "15"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 420,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Choose endpoint to enrich
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedhosts
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      - id: "1"
+        label: ""
+        labelarg:
+          simple: Choose user to enrich
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: multiSelect
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedusers
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Choose entities to enrich
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 41f3e374-9a9c-4430-8c04-3112776f3c4c
+    type: regular
+    task:
+      id: 41f3e374-9a9c-4430-8c04-3112776f3c4c
+      version: -1
+      name: Set endpoint enrichment data to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "24"
+    scriptarguments:
+      extend-context:
+        simple: endpointsdetailsmarkdown=
+      title:
+        simple: Endpoints Details
+      value:
+        complex:
+          root: Endpoint
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1540,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Hunting Endpoint Enrichment
+      output:
+        simple: "True"
+    - incidentfield: Endpoints Details
+      output:
+        simple: ${endpointsdetailsmarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "8":
+    id: "8"
+    taskid: 43fc02e8-1308-44fb-855e-978ec775d10f
+    type: title
+    task:
+      id: 43fc02e8-1308-44fb-855e-978ec775d10f
+      version: -1
+      name: Endpoint Details
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "4"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1180,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "9":
+    id: "9"
+    taskid: aedf05b6-53ee-4de4-8f4e-c0e830b51ab5
+    type: title
+    task:
+      id: aedf05b6-53ee-4de4-8f4e-c0e830b51ab5
+      version: -1
+      name: Alerts Related To The Endpoint
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "13"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 630,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: 7437209c-2eea-4918-8c1f-fe682758c9b4
+    type: condition
+    task:
+      id: 7437209c-2eea-4918-8c1f-fe682758c9b4
+      version: -1
+      name: Related alerts found?
+      description: Checks if related alerts were found.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "31"
+      "yes":
+      - "27"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: PaloAltoNetworksXDR.Alert
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 420,
+          "y": 990
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "12":
+    id: "12"
+    taskid: fba78e75-3d40-48b9-82e3-238b7fdcdf54
+    type: regular
+    task:
+      id: fba78e75-3d40-48b9-82e3-238b7fdcdf54
+      version: -1
+      name: Set related alerts to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "20"
+    scriptarguments:
+      extend-context:
+        simple: relatedalertsmarkdown=
+      title:
+        simple: Alerts Related To The Entities
+      value:
+        complex:
+          root: relatedalertsnoempty
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 190,
+          "y": 1330
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Related Alerts
+      output:
+        simple: ${relatedalertsmarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: aa91639d-1c03-457c-8003-9b888ee7c4d0
+    type: regular
+    task:
+      id: aa91639d-1c03-457c-8003-9b888ee7c4d0
+      version: -1
+      name: Search alerts related to endpoint
+      description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \nMultiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value."
+      script: '|||xdr-get-alerts'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "11"
+    scriptarguments:
+      custom_filter:
+        simple: |-
+          {
+                  "AND": [
+                    {
+                      "SEARCH_FIELD": "agent_hostname",
+                      "SEARCH_TYPE": "CONTAINS",
+                      "SEARCH_VALUE": "${Choose endpoint to enrich.Answers.0}"
+                    }
+                  ]
+               }
+      time_frame:
+        simple: 24 hours
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 630,
+          "y": 820
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 7dc348a7-1bca-4981-814a-c3563a6ec5a4
+    type: title
+    task:
+      id: 7dc348a7-1bca-4981-814a-c3563a6ec5a4
+      version: -1
+      name: Endpoint Enrichment
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "23"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": 390
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: dccc55d2-c585-458a-853a-2ec14191ed29
+    type: title
+    task:
+      id: dccc55d2-c585-458a-853a-2ec14191ed29
+      version: -1
+      name: User Enrichments
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "21"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -110,
+          "y": 390
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 52caf803-4131-40da-8460-77e6ebba29dd
+    type: title
+    task:
+      id: 52caf803-4131-40da-8460-77e6ebba29dd
+      version: -1
+      name: User Details
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -470,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 88ed19f4-decc-4e7c-8b51-f2e056f75d8f
+    type: playbook
+    task:
+      id: 88ed19f4-decc-4e7c-8b51-f2e056f75d8f
+      version: -1
+      name: Account Enrichment - Generic v2.1
+      description: |-
+        Enrich accounts using one or more integrations.
+        Supported integrations:
+        - Active Directory
+        - SailPoint IdentityNow
+        - SailPoint IdentityIQ
+        - PingOne
+        - Okta
+        - AWS IAM
+
+        Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
+      playbookName: Account Enrichment - Generic v2.1
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "25"
+    scriptarguments:
+      Username:
+        complex:
+          root: Choose entities to enrich.Answers
+          accessor: "1"
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": -470,
+          "y": 820
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "18":
+    id: "18"
+    taskid: 540ea721-6a4e-423a-8b5c-594dc4964014
+    type: title
+    task:
+      id: 540ea721-6a4e-423a-8b5c-594dc4964014
+      version: -1
+      name: Alerts Related To The User
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "19"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 210,
+          "y": 690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "19":
+    id: "19"
+    taskid: 118f5ba3-e522-4999-8258-b4fc1717bd26
+    type: regular
+    task:
+      id: 118f5ba3-e522-4999-8258-b4fc1717bd26
+      version: -1
+      name: Search alerts related to endpoint
+      description: "Returns a list of alerts and their metadata, which you can filter by built-in arguments or use the custom_filter to input a JSON filter object. \nMultiple filter arguments will be concatenated using the AND operator, while arguments that support a comma-separated list of values will use an OR operator between each value."
+      script: '|||xdr-get-alerts'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "11"
+    scriptarguments:
+      custom_filter:
+        simple: |-
+          {
+                  "AND": [
+                    {
+                      "SEARCH_FIELD": "hostname",
+                      "SEARCH_TYPE": "CONTAINS",
+                      "SEARCH_VALUE": "${Choose endpoint to enrich.Answers.1}"
+                    }
+                  ]
+               }
+      time_frame:
+        simple: 24 hours
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 210,
+          "y": 820
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "20":
+    id: "20"
+    taskid: acdce72f-e021-4d93-8153-625552bc9c63
+    type: title
+    task:
+      id: acdce72f-e021-4d93-8153-625552bc9c63
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 420,
+          "y": 1600
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "21":
+    id: "21"
+    taskid: 5ac27be5-c75e-4a7d-8f8c-4310738fe853
+    type: condition
+    task:
+      id: 5ac27be5-c75e-4a7d-8f8c-4310738fe853
+      version: -1
+      name: Has user to enrich?
+      description: Checks if the analyst selected accounts to enrich.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "22"
+      "yes":
+      - "18"
+      - "16"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Choose entities to enrich.Answers
+                accessor: "1"
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -110,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "22":
+    id: "22"
+    taskid: 7e3c1314-4843-41ae-8d3a-957520b7375f
+    type: title
+    task:
+      id: 7e3c1314-4843-41ae-8d3a-957520b7375f
+      version: -1
+      name: User Enrichment Completed
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "20"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -230,
+          "y": 1460
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "23":
+    id: "23"
+    taskid: ad98b94b-9bd8-46d2-8999-1f1becbd19d8
+    type: condition
+    task:
+      id: ad98b94b-9bd8-46d2-8999-1f1becbd19d8
+      version: -1
+      name: Has endpoint to enrich?
+      description: Checks if the analyst selected endpoints to enrich.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "24"
+      "yes":
+      - "9"
+      - "8"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Choose entities to enrich.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "24":
+    id: "24"
+    taskid: b69a7ae8-5ce8-4421-853a-e5ddcec0d60b
+    type: title
+    task:
+      id: b69a7ae8-5ce8-4421-853a-e5ddcec0d60b
+      version: -1
+      name: Endpoint Enrichment Completed
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "20"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": 1460
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "25":
+    id: "25"
+    taskid: 0b8d6f3b-ed1c-4da5-802c-6ab7579d6d19
+    type: condition
+    task:
+      id: 0b8d6f3b-ed1c-4da5-802c-6ab7579d6d19
+      version: -1
+      name: Has user enrichment results?
+      description: Checks if the playbook "Acoount Enrichment - Generic v2.1" outputs results.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "32"
+      "yes":
+      - "26"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Account
+                accessor: Username
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -470,
+          "y": 990
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "26":
+    id: "26"
+    taskid: c7ff90ca-7678-41bf-86a9-e69595144ae2
+    type: regular
+    task:
+      id: c7ff90ca-7678-41bf-86a9-e69595144ae2
+      version: -1
+      name: Set user enrichment data to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "22"
+    scriptarguments:
+      extend-context:
+        simple: usersdetailsmarkdown=
+      title:
+        simple: Users Details
+      value:
+        complex:
+          root: Account
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -880,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Users Details
+      output:
+        simple: ${usersdetailsmarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "27":
+    id: "27"
+    taskid: 7cc54632-316e-422e-88cb-583e745788a4
+    type: regular
+    task:
+      id: 7cc54632-316e-422e-88cb-583e745788a4
+      version: -1
+      name: Set results without empty fields
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "12"
+    scriptarguments:
+      append:
+        simple: "false"
+      key:
+        simple: relatedalertsnoempty
+      value:
+        complex:
+          root: PaloAltoNetworksXDR
+          accessor: Alert
+          transformers:
+          - operator: RemoveEmpty
+            args:
+              empty_values:
+                value:
+                  simple: FALSE,null,UNKNOWN,NO
+              remove_keys:
+                value:
+                  simple: "true"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 190,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "28":
+    id: "28"
+    taskid: 7d183c61-0d6f-430c-8ee2-15258b8f1e0e
+    type: regular
+    task:
+      id: 7d183c61-0d6f-430c-8ee2-15258b8f1e0e
+      version: -1
+      name: Delete context to avoid duplications - endpointsdetailsmarkdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      key:
+        simple: endpointsdetailsmarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 10,
+          "y": 50
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "29":
+    id: "29"
+    taskid: 305bae10-f1bd-4682-881c-83a19c3bf490
+    type: regular
+    task:
+      id: 305bae10-f1bd-4682-881c-83a19c3bf490
+      version: -1
+      name: Delete context to avoid duplications - relatedalertsmarkdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      key:
+        simple: relatedalertsmarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 420,
+          "y": 50
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "30":
+    id: "30"
+    taskid: 4797f0a2-af07-4efb-8dda-169504366c08
+    type: regular
+    task:
+      id: 4797f0a2-af07-4efb-8dda-169504366c08
+      version: -1
+      name: Set no results found
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "24"
+    scriptarguments:
+      endpointsdetails:
+        simple: '#### No endpoint results found'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1110,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "31":
+    id: "31"
+    taskid: a1fcaadc-7e2c-408d-8169-bb6a65a3bdd6
+    type: regular
+    task:
+      id: a1fcaadc-7e2c-408d-8169-bb6a65a3bdd6
+      version: -1
+      name: Set no results found
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "20"
+    scriptarguments:
+      relatedalerts:
+        simple: '#### No related alerts found'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 640,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "32":
+    id: "32"
+    taskid: 7ff4506d-2921-4315-85f8-1ccc8477d033
+    type: regular
+    task:
+      id: 7ff4506d-2921-4315-85f8-1ccc8477d033
+      version: -1
+      name: Set no results found
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "22"
+    scriptarguments:
+      usersdetails:
+        simple: '#### No user details found'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -470,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "23_24_#default#": 0.16
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1755,
+        "width": 2800,
+        "x": -880,
+        "y": -90
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment_README.md
new file mode 100644
index 000000000000..440eac644f83
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment_README.md
@@ -0,0 +1,42 @@
+This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of enriching information on hosts and users specified by the analyst.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Account Enrichment - Generic v2.1
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* Print
+* Set
+* DeleteContext
+* JsonToTable
+
+### Commands
+
+* endpoint
+* xdr-get-alerts
+* setIncident
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Entity Enrichment](../doc_files/Proactive_Threat_Hunting_-_Entity_Enrichment.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query.yml
new file mode 100644
index 000000000000..b85509683ae7
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query.yml
@@ -0,0 +1,754 @@
+id: Proactive Threat Hunting - Execute Query
+version: -1
+name: Proactive Threat Hunting - Execute Query
+description: |-
+  This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of executing a query that will be provided by the analyst. The playbook supports executing a query using the following integrations:
+
+  - Cortex XDR XQL Engine
+  - Microsoft Defender For Endpoint
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: da2e4044-109f-4d97-854a-ede202f6bc4b
+    type: start
+    task:
+      id: da2e4044-109f-4d97-854a-ede202f6bc4b
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "9"
+      - "10"
+      - "12"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -140
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: f450f9f6-7d4c-40e6-80c1-08ed03dd1fd4
+    type: regular
+    task:
+      id: f450f9f6-7d4c-40e6-80c1-08ed03dd1fd4
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      value:
+        simple: Custom query execution procedure has executed. Follow the work plan to continue.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 180
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Endpoint Isolation Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: dde3c637-b8b9-4134-85d7-631098080714
+    type: collection
+    task:
+      id: dde3c637-b8b9-4134-85d7-631098080714
+      version: -1
+      name: Please provide query to execute
+      description: Asks the analyst to provide a query to execute.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "6"
+      - "14"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Please provide query to execute
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: longText
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedhosts
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: 'Supported systems: - Cortex XDR XQL Engine - Microsoft Defender For Endpoint'
+        readonly: false
+      title: Please provide query to execute
+      description: |-
+        Supported systems:
+        - Cortex XDR XQL Engine
+        - Microsoft Defender For Endpoint
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: ad50208d-43e6-426b-8cc6-84ad81ecc7fb
+    type: title
+    task:
+      id: ad50208d-43e6-426b-8cc6-84ad81ecc7fb
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1380
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: f728b726-18a0-4d6b-8850-96a4ffdfdc0c
+    type: condition
+    task:
+      id: f728b726-18a0-4d6b-8850-96a4ffdfdc0c
+      version: -1
+      name: Is Cortex XDR Query Engine enabled?
+      description: Checks if the Query Engine integration is enabled.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "7"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Cortex XDR - XQL Query Engine
+                    ignorecase: true
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 720,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 9031c68a-ee79-4cc5-84be-86d43a561349
+    type: regular
+    task:
+      id: 9031c68a-ee79-4cc5-84be-86d43a561349
+      version: -1
+      name: Execute custom query - XQL Engine
+      description: |-
+        Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised.
+        When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file,
+        unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context.
+      script: '|||xdr-xql-generic-query'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "11"
+    scriptarguments:
+      query:
+        complex:
+          root: Please provide query to execute.Answers
+          accessor: "0"
+      query_name:
+        simple: Hunting Session
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 720,
+          "y": 700
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "8":
+    id: "8"
+    taskid: 58d64fc9-710a-413d-8f57-a0f9a85139a6
+    type: regular
+    task:
+      id: 58d64fc9-710a-413d-8f57-a0f9a85139a6
+      version: -1
+      name: Set custom query results to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      extend-context:
+        simple: customquerymarkdown=
+      value:
+        complex:
+          root: PaloAltoNetworksXQL.GenericQuery
+          accessor: results
+          transformers:
+          - operator: RemoveEmpty
+            args:
+              empty_values:
+                value:
+                  simple: FALSE,null,UNKNOWN,NO
+              remove_keys:
+                value:
+                  simple: "true"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1040,
+          "y": 1050
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Custom Query Results
+      output:
+        simple: ${customquerymarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "9":
+    id: "9"
+    taskid: 0893394f-91d6-4f39-892a-041a165f1f95
+    type: regular
+    task:
+      id: 0893394f-91d6-4f39-892a-041a165f1f95
+      version: -1
+      name: Delete context to avoid duplications - PaloAltoNetworksXQL
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      key:
+        simple: PaloAltoNetworksXQL
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 40,
+          "y": 0
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "10":
+    id: "10"
+    taskid: ecb8cab4-6292-4190-8b1d-cb12315d64f6
+    type: regular
+    task:
+      id: ecb8cab4-6292-4190-8b1d-cb12315d64f6
+      version: -1
+      name: Delete context to avoid duplications - customquerymarkdown
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      key:
+        simple: customquerymarkdown
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 860,
+          "y": 0
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Custom Query Results
+      output:
+        simple: ${needtobeempty}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: 2bf0fd8c-61f3-4e63-819a-4b6bf238b3ce
+    type: condition
+    task:
+      id: 2bf0fd8c-61f3-4e63-819a-4b6bf238b3ce
+      version: -1
+      name: Has custom query results?
+      description: Checks if the query returned results.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "17"
+      "yes":
+      - "8"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: PaloAltoNetworksXQL.GenericQuery
+                accessor: results
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 720,
+          "y": 860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "12":
+    id: "12"
+    taskid: c3453c12-2fe1-418e-88a9-05eea5ae5d1e
+    type: regular
+    task:
+      id: c3453c12-2fe1-418e-88a9-05eea5ae5d1e
+      version: -1
+      name: Delete context to avoid duplications - "Please provide query to execute"
+      description: |-
+        Delete field from context.
+
+        This automation runs using the default Limited User role, unless you explicitly change the permissions.
+        For more information, see the section about permissions here:
+        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations
+      scriptName: DeleteContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      key:
+        simple: Please provide query to execute
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 0
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "13":
+    id: "13"
+    taskid: 385f789c-c767-4fc8-83eb-ce57c8244369
+    type: regular
+    task:
+      id: 385f789c-c767-4fc8-83eb-ce57c8244369
+      version: -1
+      name: Execute custom query - Microsoft defender
+      description: 'Allows you to run programmatic queries like in Microsoft Defender ATP Portal (https://securitycenter.windows.com/hunting). Limitations: You can only run a query on data from the last 30 days. The results include a maximum of 10,000 rows. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day).'
+      script: '|||microsoft-atp-advanced-hunting'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "15"
+    scriptarguments:
+      query:
+        complex:
+          root: Please provide query to execute.Answers
+          accessor: "0"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 180,
+          "y": 700
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 6015fbf9-bc6d-41bd-8bb1-cc9b914755f1
+    type: condition
+    task:
+      id: 6015fbf9-bc6d-41bd-8bb1-cc9b914755f1
+      version: -1
+      name: Is Microsoft Defender enabled?
+      description: Checks if the Microsoft Defender integration is enabled.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "13"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Microsoft Defender Advanced Threat Protection
+                    ignorecase: true
+                - - operator: isEqualString
+                    left:
+                      value:
+                        simple: modules.state
+                      iscontext: true
+                    right:
+                      value:
+                        simple: active
+                    ignorecase: true
+                accessor: brand
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 180,
+          "y": 520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 333030f6-517f-4b22-8492-f80d559d53c2
+    type: condition
+    task:
+      id: 333030f6-517f-4b22-8492-f80d559d53c2
+      version: -1
+      name: Has custom query results?
+      description: Checks if the query returned results.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "17"
+      "yes":
+      - "16"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: MicrosoftATP.Hunt
+                accessor: Result
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 180,
+          "y": 860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 2ecae88f-51fa-4352-8879-61c295a0ac71
+    type: regular
+    task:
+      id: 2ecae88f-51fa-4352-8879-61c295a0ac71
+      version: -1
+      name: Set custom query results to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      extend-context:
+        simple: customquerymarkdown=
+      value:
+        complex:
+          root: MicrosoftATP.Hunt
+          accessor: Result
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -40,
+          "y": 1040
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Custom Query Results
+      output:
+        simple: ${customquerymarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 9c9315b4-5c3a-4d4c-8e93-c19106f9a50d
+    type: regular
+    task:
+      id: 9c9315b4-5c3a-4d4c-8e93-c19106f9a50d
+      version: -1
+      name: Set no results found
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      customqueryresults:
+        simple: '#### No results found'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 1050
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "14_5_#default#": 0.9,
+      "6_5_#default#": 0.9
+    },
+    "paper": {
+      "dimensions": {
+        "height": 1585,
+        "width": 1460,
+        "x": -40,
+        "y": -140
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query_README.md
new file mode 100644
index 000000000000..f607d6174c7d
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query_README.md
@@ -0,0 +1,44 @@
+This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of executing a query that will be provided by the analyst. The playbook supports executing a query using the following integrations:
+
+- Cortex XDR XQL Engine
+- Microsoft Defender For Endpoint
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* JsonToTable
+* Print
+* DeleteContext
+
+### Commands
+
+* xdr-xql-generic-query
+* setIncident
+* microsoft-atp-advanced-hunting
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Execute Query](../doc_files/Proactive_Threat_Hunting_-_Execute_Query.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File.yml
new file mode 100644
index 000000000000..ffb9cf1acbfe
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File.yml
@@ -0,0 +1,326 @@
+id: Proactive Threat Hunting - Quarantine File
+version: -1
+name: Proactive Threat Hunting - Quarantine File
+description: |-
+  This playbook will be executed from the “Proactive Threat Hunting” layout button with the objective of quarantining a file specified by the analyst. The following integration is supported:
+  - Cortex XDR IR
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 35c489f4-3d7c-4d13-882c-4bbc8fd7c5a1
+    type: start
+    task:
+      id: 35c489f4-3d7c-4d13-882c-4bbc8fd7c5a1
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "2"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 50
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 7e850afe-3652-4e16-8e64-76d27b1e5381
+    type: regular
+    task:
+      id: 7e850afe-3652-4e16-8e64-76d27b1e5381
+      version: -1
+      name: Print update to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      value:
+        simple: Quarantine file procedure has executed. Follow the work plan to continue.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 180
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: User Block Status
+      output:
+        simple: Executed
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 224159e0-ec3c-4364-8128-a8f2d37f8641
+    type: collection
+    task:
+      id: 224159e0-ec3c-4364-8128-a8f2d37f8641
+      version: -1
+      name: Provide details for file quarantine
+      description: Asks the analyst to provide the relevant data required for quarantining the file.
+      type: collection
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 340
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Provide endpoint ID
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg:
+        - {}
+        - complex:
+            root: incident
+            accessor: affectedusers
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      - id: "1"
+        label: ""
+        labelarg:
+          simple: Provide file path
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      - id: "2"
+        label: ""
+        labelarg:
+          simple: Provide file SHA256 hash
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: shortText
+        options: []
+        optionsarg: []
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Provide details for file quarantine
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: 7e70a140-5c50-439e-80de-e80725223c92
+    type: condition
+    task:
+      id: 7e70a140-5c50-439e-80de-e80725223c92
+      version: -1
+      name: Has file to quarantine?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "5"
+      "yes":
+      - "6"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Provide details for file quarantine.Answers
+                accessor: "0"
+            iscontext: true
+          right:
+            value: {}
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Provide details for file quarantine.Questions
+                accessor: "1"
+            iscontext: true
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Provide details for file quarantine.Answers
+                accessor: "2"
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 500
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: e171a237-98a4-4a7f-8a18-4ced40b8491d
+    type: title
+    task:
+      id: e171a237-98a4-4a7f-8a18-4ced40b8491d
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 3d38dd61-7381-44d2-82b5-3d880f9cc271
+    type: regular
+    task:
+      id: 3d38dd61-7381-44d2-82b5-3d880f9cc271
+      version: -1
+      name: Quarantine file
+      description: Quarantines a file on selected endpoints. You can select up to 1000 endpoints.
+      script: '|||xdr-file-quarantine'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      endpoint_id_list:
+        complex:
+          root: Provide details for file quarantine.Questions
+          accessor: "0"
+      file_hash:
+        complex:
+          root: Provide details for file quarantine.Answers
+          accessor: "2"
+      file_path:
+        complex:
+          root: Provide details for file quarantine.Answers
+          accessor: "1"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 890,
+          "y": 670
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "4_5_#default#": 0.55
+    },
+    "paper": {
+      "dimensions": {
+        "height": 855,
+        "width": 820,
+        "x": 450,
+        "y": 50
+      }
+    }
+  }
+inputs: []
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File_README.md
new file mode 100644
index 000000000000..b2dc22a711f0
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File_README.md
@@ -0,0 +1,38 @@
+This playbook will be executed from the “Proactive Threat Hunting” layout button with the objective of quarantining a file specified by the analyst. The following integration is supported:
+- Cortex XDR IR
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+This playbook does not use any sub-playbooks.
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* Print
+
+### Commands
+
+* xdr-file-quarantine
+
+## Playbook Inputs
+
+---
+There are no inputs for this playbook.
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - Quarantine File](../doc_files/Proactive_Threat_Hunting_-_Quarantine_File.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting.yml b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting.yml
new file mode 100644
index 000000000000..19b5b547dcdb
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting.yml
@@ -0,0 +1,1402 @@
+id: Proactive Threat Hunting - SDO Threat Hunting
+version: -1
+name: Proactive Threat Hunting - SDO Threat Hunting
+description: |-
+  This playbook will be executed when the analyst chooses to perform SDO hunting.
+  The playbook receives an SDO type indicator and executes the following steps:
+
+  - Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs.
+  - Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook.
+  - Searches attack patterns that are related to the SDO indicator.
+  - Searches LOLBAS tools that are related to the found attack patterns.
+  - Hunts for LOLBin executions command-line arguments that are similar to LOLBAS  malicious commands patterns.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 03780881-d798-4c4a-8dc7-cab2c0e04912
+    type: start
+    task:
+      id: 03780881-d798-4c4a-8dc7-cab2c0e04912
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "8"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -450
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: b32d342c-cd82-44ba-83fa-363d76b120ee
+    type: regular
+    task:
+      id: b32d342c-cd82-44ba-83fa-363d76b120ee
+      version: -1
+      name: Get SDO from TIM
+      description: |-
+        Searches Cortex XSOAR indicators.
+
+        Searches for Cortex XSOAR Indicators and returns the id, indicator_type, value, and score/verdict.
+
+        You can add additional fields from the indicators using the add_field_to_context argument.
+      scriptName: SearchIndicator
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      query:
+        simple: type:"${inputs.SDOType}"
+      size:
+        simple: "500"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -50,
+          "y": -140
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: 0de6a093-317b-4f93-8b52-9fccc138e98b
+    type: collection
+    task:
+      id: 0de6a093-317b-4f93-8b52-9fccc138e98b
+      version: -1
+      name: Choose Campaign to hunt
+      type: collection
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "10"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -50,
+          "y": 20
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+    form:
+      questions:
+      - id: "0"
+        label: ""
+        labelarg:
+          simple: Choose the campaigns to hunt for
+        required: false
+        gridcolumns: []
+        defaultrows: []
+        type: singleSelect
+        options: []
+        optionsarg:
+        - complex:
+            root: foundIndicators
+            accessor: value
+            transformers:
+            - operator: uniq
+        fieldassociated: ""
+        placeholder: ""
+        tooltip: ""
+        readonly: false
+      title: Choose the campaigns to hunt for
+      description: ""
+      sender: ""
+      expired: false
+      totalanswers: 0
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 1042fe9d-c392-494f-8a84-63f5e17e0099
+    type: playbook
+    task:
+      id: 1042fe9d-c392-494f-8a84-63f5e17e0099
+      version: -1
+      name: TIM - Indicator Relationships Analysis
+      description: |-
+        This playbook is designed to assist with a security investigation by providing an analysis of indicator relationships. The following information is included:
+        - Indicators of compromise (IOCs) related to the investigation.
+        - Attack patterns related to the investigation.
+        - Campaigns related to the investigation.
+        - IOCs associated with the identified campaigns.
+        - Reports containing details on the identified campaigns.
+      playbookName: TIM - Indicator Relationships Analysis
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "23"
+      - "34"
+    scriptarguments:
+      Indicator:
+        complex:
+          root: Choose the campaigns to hunt for.Answers
+          accessor: "0"
+          transformers:
+          - operator: SetIfEmpty
+            args:
+              applyIfEmpty:
+                value:
+                  simple: "false"
+              defaultValue:
+                value:
+                  simple: inputs.SDOName
+                iscontext: true
+      LimitResults:
+        simple: "200"
+    separatecontext: false
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 510
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 2
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 7806f0cb-9372-4189-82d4-4fe07c1c6e0a
+    type: title
+    task:
+      id: 7806f0cb-9372-4189-82d4-4fe07c1c6e0a
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 2190
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "6":
+    id: "6"
+    taskid: 30a47edc-ccf1-42dd-8686-400563cca15e
+    type: playbook
+    task:
+      id: 30a47edc-ccf1-42dd-8686-400563cca15e
+      version: -1
+      name: Threat Hunting - Generic
+      playbookName: Threat Hunting - Generic
+      type: playbook
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "27"
+    scriptarguments:
+      IPAddress:
+        complex:
+          root: RelatedIPs
+      MD5:
+        complex:
+          root: RelatedFiles
+          filters:
+          - - operator: stringHasLength
+              left:
+                value:
+                  simple: RelatedFiles
+                iscontext: true
+              right:
+                value:
+                  simple: "32"
+      QRadarTimeFrame:
+        simple: LAST 7 DAYS
+      SHA256:
+        complex:
+          root: RelatedFiles
+          filters:
+          - - operator: stringHasLength
+              left:
+                value:
+                  simple: RelatedFiles
+                iscontext: true
+              right:
+                value:
+                  simple: "64"
+      SplunkEarliestTime:
+        simple: -7d@d
+      SplunkLatestTime:
+        simple: now
+      URLDomain:
+        complex:
+          root: RelatedURLs
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedDomains
+                iscontext: true
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 960,
+          "y": 1170
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "8":
+    id: "8"
+    taskid: 17705d17-e1d0-4bd3-8efa-8ad73fbc86a3
+    type: condition
+    task:
+      id: 17705d17-e1d0-4bd3-8efa-8ad73fbc86a3
+      version: -1
+      name: Has SDO name input?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "1"
+      "yes":
+      - "25"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.SDOName
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -310
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "10":
+    id: "10"
+    taskid: 192c8ba9-16ac-4c33-8eb8-5d93cf17ccdc
+    type: regular
+    task:
+      id: 192c8ba9-16ac-4c33-8eb8-5d93cf17ccdc
+      version: -1
+      name: Set chosen campaign to layout
+      description: commands.local.cmd.associate.indicators
+      script: Builtin|||associateIndicatorsToIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "26"
+    scriptarguments:
+      incidentId:
+        complex:
+          root: incident
+          accessor: id
+      indicatorsValues:
+        complex:
+          root: Choose the campaigns to hunt for.Answers
+          accessor: "0"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 190
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: SDO Name
+      output:
+        simple: '#### ${Choose the campaigns to hunt for.Answers.0}'
+    - incidentfield: SDO Feed
+      output:
+        simple: '#### ${incident.sdofeed}'
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 9e7112c8-f542-44e1-8925-bcb7defbeb47
+    type: regular
+    task:
+      id: 9e7112c8-f542-44e1-8925-bcb7defbeb47
+      version: -1
+      name: Add tags to indicators
+      description: commands.local.cmd.add.values.to.indicator.multi.select.field
+      script: Builtin|||appendIndicatorField
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "6"
+    scriptarguments:
+      field:
+        simple: tags
+      fieldValue:
+        simple: Hunting Session
+      indicatorsValues:
+        complex:
+          root: RelatedFiles
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedDomains
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedIPs
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedURLs
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 960,
+          "y": 1010
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 8016cd02-5726-46e6-8758-67367704b27b
+    type: regular
+    task:
+      id: 8016cd02-5726-46e6-8758-67367704b27b
+      version: -1
+      name: Get attack pattern related tools
+      description: This automation outputs the indicator relationships to context according to the provided query, using the entities, entityTypes, and relationships arguments. All arguments will use the AND operator. For example, using the following arguments entities=8.8.8.8 entities_types=Domain will provide only relationships that the 8.8.8.8 indicator has with indicators of type domain.
+      scriptName: SearchIndicatorRelationships
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "17"
+    scriptarguments:
+      entities:
+        complex:
+          root: RelatedAttackPatterns
+      limit:
+        simple: "500"
+      relationships:
+        simple: related-to
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 220,
+          "y": 850
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Attack Patterns
+      output:
+        complex:
+          root: RelatedAttackPatterns
+    - incidentfield: Report Name
+      output:
+        simple: '#### ${RelatedReport}'
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: b51a0eec-4e8d-4d59-8af6-74f0b4e49501
+    type: playbook
+    task:
+      id: b51a0eec-4e8d-4d59-8af6-74f0b4e49501
+      version: -1
+      name: Search LOLBAS Tools By Name
+      description: This playbook searches for LOLBAS tools by their name, and returns the tool command from LOLBAS.
+      playbookName: Search LOLBAS Tools By Name
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "30"
+    scriptarguments:
+      Tool:
+        complex:
+          root: Relationships
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: Relationships.EntityBType
+                iscontext: true
+              right:
+                value:
+                  simple: tool
+              ignorecase: true
+          accessor: EntityB
+          transformers:
+          - operator: uniq
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+      forEach: true
+    view: |-
+      {
+        "position": {
+          "x": 220,
+          "y": 1010
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "19":
+    id: "19"
+    taskid: f8f5ea76-846c-4d7f-8d8c-394a665ce49c
+    type: regular
+    task:
+      id: f8f5ea76-846c-4d7f-8d8c-394a665ce49c
+      version: -1
+      name: Set Tools
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "32"
+    scriptarguments:
+      tools:
+        complex:
+          root: LotlTools
+          accessor: value
+          transformers:
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '"'
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: '['
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith: {}
+              toReplace:
+                value:
+                  simple: ']'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 20,
+          "y": 1350
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "21":
+    id: "21"
+    taskid: 9303894e-5d31-4a4f-8ad4-a1d0eda0abb4
+    type: regular
+    task:
+      id: 9303894e-5d31-4a4f-8ad4-a1d0eda0abb4
+      version: -1
+      name: Set StringSimilarity Results To Layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      extend-context:
+        simple: stringsimilaritymarkdown=
+      title:
+        simple: StringSimilarity Results
+      value:
+        complex:
+          root: StringSimilarity
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -210,
+          "y": 1860
+        }
+      }
+    note: false
+    evidencedata:
+      description:
+        simple: Suspicious lolbin executions found
+      customfields: {}
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: String Similarity Results
+      output:
+        simple: ${stringsimilaritymarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "22":
+    id: "22"
+    taskid: f291afb5-9b54-4834-84a2-9cdb3d882d82
+    type: regular
+    task:
+      id: f291afb5-9b54-4834-84a2-9cdb3d882d82
+      version: -1
+      name: Associate indicators to incident
+      description: commands.local.cmd.associate.indicators
+      script: Builtin|||associateIndicatorsToIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      incidentId:
+        complex:
+          root: incident
+          accessor: id
+      indicatorsValues:
+        complex:
+          root: RelatedFiles
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedDomains
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedIPs
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: RelatedURLs
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 960,
+          "y": 850
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "23":
+    id: "23"
+    taskid: 3f6c22f6-410f-4f3a-8b4b-e5d46a107f7a
+    type: condition
+    task:
+      id: 3f6c22f6-410f-4f3a-8b4b-e5d46a107f7a
+      version: -1
+      name: Has Related IOC's?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "22"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: RelatedDomains
+                transformers:
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: RelatedFiles
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: RelatedIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: RelatedURLs
+                      iscontext: true
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 660,
+          "y": 680
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "24":
+    id: "24"
+    taskid: 65eef55e-89ce-46d5-8608-ef3fdc5e89d6
+    type: condition
+    task:
+      id: 65eef55e-89ce-46d5-8608-ef3fdc5e89d6
+      version: -1
+      name: Suspicious Lolbin executions found?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "35"
+      "yes":
+      - "21"
+      - "33"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: StringSimilarity
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 20,
+          "y": 1690
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "25":
+    id: "25"
+    taskid: 67c84d03-4c7d-475f-8efa-b3919dbb9a3d
+    type: regular
+    task:
+      id: 67c84d03-4c7d-475f-8efa-b3919dbb9a3d
+      version: -1
+      name: Set SDO name
+      description: Set a value in context under the key you entered.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "10"
+    scriptarguments:
+      key:
+        simple: Choose the campaigns to hunt for.Answers.0
+      value:
+        complex:
+          root: inputs.SDOName
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 20
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "26":
+    id: "26"
+    taskid: d3a8c367-09c0-4f90-824c-b5e05c72a371
+    type: regular
+    task:
+      id: d3a8c367-09c0-4f90-824c-b5e05c72a371
+      version: -1
+      name: Print hunt executed message to notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      value:
+        simple: 'The threat hunting seesion has been executed. To view the outcomes, kindly navigate to the SDO Hunting Session tab. IMPORTANT: You will receive a notification in this section once the hunting session is finished and an "Investigation & Response" tab will display with further steps that can be taken.'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 350
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "27":
+    id: "27"
+    taskid: b3c284a7-e33e-4e91-898d-dabe51798330
+    type: condition
+    task:
+      id: b3c284a7-e33e-4e91-898d-dabe51798330
+      version: -1
+      name: IOCs found?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "28"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: Splunk
+                accessor: DetectedInternalIPs
+                transformers:
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: Splunk.DetectedExternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: Splunk.DetectedExternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: PANWHunting.DetectedInternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: PANWHunting.DetectedExternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: QRadar.DetectedInternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: QRadar.DetectedExternalIPs
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: Microsoft365Defender.RetrievedEmails.SHA256
+                      iscontext: true
+                - operator: append
+                  args:
+                    item:
+                      value:
+                        simple: Microsoft365Defender.RetrievedEmails.Url
+                      iscontext: true
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 960,
+          "y": 1330
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "28":
+    id: "28"
+    taskid: 41feb33c-4160-4e93-8f08-de2865ef878f
+    type: regular
+    task:
+      id: 41feb33c-4160-4e93-8f08-de2865ef878f
+      version: -1
+      name: Set tag on IOCs found
+      description: commands.local.cmd.add.values.to.indicator.multi.select.field
+      script: Builtin|||appendIndicatorField
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      field:
+        simple: tags
+      fieldValue:
+        simple: Hunting Session - Exist In Environment
+      indicatorsValues:
+        complex:
+          root: PANWHunting
+          accessor: DetectedInternalIPs
+          transformers:
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: PANWHunting.DetectedExternalIPs
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: PANWHunting.DetectedInternalIPs
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Microsoft365Defender.RetrievedEmails.SHA256
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: Microsoft365Defender.RetrievedEmails.Url
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: QRadar.DetectedInternalIPs
+                iscontext: true
+          - operator: append
+            args:
+              item:
+                value:
+                  simple: QRadar.DetectedExternalIPs
+                iscontext: true
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1180,
+          "y": 1500
+        }
+      }
+    note: false
+    evidencedata:
+      description:
+        simple: IOCs found during the threat hunting session
+      customfields: {}
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "29":
+    id: "29"
+    taskid: b92ba575-6cb0-4d98-8927-caff7321c37a
+    type: regular
+    task:
+      id: b92ba575-6cb0-4d98-8927-caff7321c37a
+      version: -1
+      name: Print Hunt Completed To Notes
+      description: Prints text to the War Room. (Markdown supported).
+      scriptName: Print
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      value:
+        simple: The threat hunting session completed. The hunting session results is displayed in the SDO Hunting Session tab. Navigate to "Investigation & Response" tab for further post-hunting actions.
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 2030
+        }
+      }
+    note: true
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Hunting Session Status
+      output:
+        simple: Finished
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "30":
+    id: "30"
+    taskid: 7cee7d7b-fa63-4b6a-8594-9256125e4396
+    type: condition
+    task:
+      id: 7cee7d7b-fa63-4b6a-8594-9256125e4396
+      version: -1
+      name: Has Lotl tools?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "19"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: LotlTools
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 220,
+          "y": 1180
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "32":
+    id: "32"
+    taskid: 37616759-422f-47ed-83c0-b17cfe90d55d
+    type: playbook
+    task:
+      id: 37616759-422f-47ed-83c0-b17cfe90d55d
+      version: -1
+      name: Search and Compare Process Executions - Generic
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+        - Cortex XDR XQL Engine
+        - Cortex XDR IR(Search executions inside XDR alerts)
+        - Microsoft Defender For Endpoint
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Search and Compare Process Executions - Generic
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "24"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: LotlTools
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 20,
+          "y": 1520
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "33":
+    id: "33"
+    taskid: aa9071c9-8926-4ae8-82f6-a5253cf91ee1
+    type: regular
+    task:
+      id: aa9071c9-8926-4ae8-82f6-a5253cf91ee1
+      version: -1
+      name: Set suspicious executions to layout
+      description: Accepts a JSON object and returns a markdown.
+      scriptName: JsonToTable
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      extend-context:
+        simple: suspiciousexecutionmarkdown=
+      title:
+        simple: Suspicious Executions Found
+      value:
+        complex:
+          root: Findings
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -620,
+          "y": 1860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    fieldMapping:
+    - incidentfield: Suspicious Executions Found
+      output:
+        simple: ${suspiciousexecutionmarkdown}
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "34":
+    id: "34"
+    taskid: 68dd35d0-6e38-4237-8ec5-29b30a4a5723
+    type: condition
+    task:
+      id: 68dd35d0-6e38-4237-8ec5-29b30a4a5723
+      version: -1
+      name: Has related attack patterns?
+      type: condition
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "16"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: RelatedAttackPatterns
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 220,
+          "y": 680
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "35":
+    id: "35"
+    taskid: 498f8a3f-74fc-4bb5-8ede-b0eed39c0e1b
+    type: regular
+    task:
+      id: 498f8a3f-74fc-4bb5-8ede-b0eed39c0e1b
+      version: -1
+      name: Set no results found
+      description: commands.local.cmd.set.incident
+      script: Builtin|||setIncident
+      type: regular
+      iscommand: true
+      brand: Builtin
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      suspiciousexecutionsfound:
+        simple: '#### No results found'
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 220,
+          "y": 1860
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {
+      "23_29_#default#": 0.15,
+      "27_29_#default#": 0.25,
+      "30_29_#default#": 0.19,
+      "34_29_#default#": 0.23
+    },
+    "paper": {
+      "dimensions": {
+        "height": 2705,
+        "width": 2180,
+        "x": -620,
+        "y": -450
+      }
+    }
+  }
+inputs:
+- key: SDOName
+  value: {}
+  required: false
+  description: The SDO name.
+  playbookInputQuery:
+- key: SDOType
+  value:
+    simple: Campaign
+  required: false
+  description: The SDO type.
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 30 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value: {}
+  required: false
+  description: 'StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment. Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.'
+  playbookInputQuery:
+outputs: []
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting_README.md
new file mode 100644
index 000000000000..ba70ad688181
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting_README.md
@@ -0,0 +1,59 @@
+This playbook will be executed when the analyst chooses to perform SDO hunting.
+The playbook receives an SDO type indicator and executes the following steps:
+
+- Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs.
+- Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook.
+- Searches attack patterns that are related to the SDO indicator.
+- Searches LOLBAS tools that are related to the found attack patterns.
+- Hunts for LOLBin executions command-line arguments that are similar to LOLBAS  malicious commands patterns.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Threat Hunting - Generic
+* Search LOLBAS Tools By Name
+* TIM - Indicator Relationships Analysis
+* Search and Compare Process Executions - Generic
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* SearchIndicatorRelationships
+* Print
+* Set
+* SearchIndicator
+* JsonToTable
+
+### Commands
+
+* setIncident
+* appendIndicatorField
+* associateIndicatorsToIncident
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| SDOName | The SDO name. |  | Optional |
+| SDOType | The SDO type. | Campaign | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 30 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment. Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting - SDO Threat Hunting](../doc_files/Proactive_Threat_Hunting_-_SDO_Threat_Hunting.png)
diff --git a/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_README.md b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_README.md
new file mode 100644
index 000000000000..c258fac63391
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_README.md
@@ -0,0 +1,45 @@
+This playbook is the main playbook of the 'Proactive Threat Hunting' pack. It automatically runs during a new hunting session and guides the threat hunter through the session based on the selected hunting method. The available hunting methods are:
+
+- SDO Hunt: Constructs the hunting hypothesis based on SDO indicators (Campaign, Malware, Intrusion Set).
+- Freestyle Hunt: Allows the threat hunter to provide their own queries and IOCs for hunting.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Proactive Threat Hunting - SDO Threat Hunting
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* Print
+
+### Commands
+
+* setIncident
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| IncidentTag | A tag that will be attached to Threat Hunting incidents. | Threat Hunting | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The query execution script default is the last 24 hours. | 7 Days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment.<br/>Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Proactive Threat Hunting](../doc_files/Proactive_Threat_Hunting.png)
diff --git a/Packs/ProactiveThreatHunting/README.md b/Packs/ProactiveThreatHunting/README.md
new file mode 100644
index 000000000000..748a081eff2a
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/README.md
@@ -0,0 +1,7 @@
+
+## What does this pack do?
+The "Proactive Threat Hunting" pack for Cortex XSOAR enables users to initiate threat hunting sessions with the primary goal of identifying undetected threats within their environment. Hunting session summary will be displayed in the new "Threat Hunting" dashboard. This pack supports two distinct hunting methods:
+- SDO Hunting: Users can build hypotheses around specific STIX Data Object (SDO) indicators such as Campaigns, Intrusion Sets, or Malware. The pack allows for the search of Indicators of Compromise (IOCs) related to the selected SDO indicator, as well as the identification of tools and tactics used in the corresponding attack pattern.
+- Freestyle Hunt: This method empowers threat hunters to execute custom queries, upload their own IOCs, and conduct comprehensive searches and data enrichment on entities within the environment.
+Additionally, both hunting methods in the pack offer the capability to take remediation actions directly from the hunting session layout. This includes the ability to block IOCs, isolate endpoints, block accounts, and quarantine files, providing a holistic approach to threat hunting and response.
+Overall, the "Proactive Threat Hunting" pack enhances Cortex XSOAR's capabilities by allowing security teams to proactively explore and identify potential threats, providing a powerful toolset to enhance the organization's cybersecurity posture.
diff --git a/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.py b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.py
new file mode 100644
index 000000000000..3b14f1f3e9d8
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.py
@@ -0,0 +1,44 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
+
+
+def hunting_from_indicator_layout(sdo: str):
+    """
+    Creating an incident from the indicator layout with the following parameters:
+        Name: Threat Hunting Session - <Indicator Value>
+        Type: Proactive Threat Hunting
+        sdoname: <Indicator Value>
+    Args:
+        - sdo: The indicator value.
+    Returns:
+        - CommandResults: A CommandResults object with a readable output indicating that the incident was created.
+
+    Raises:
+        - ValueError: If the indicator value is not part of Demisto args,
+          a ValueError is raised with a message indicating that the automation was not executed from the indicator layout.
+       """
+    try:
+        demisto.executeCommand("createNewIncident", {"name": f"Threat Hunting Session - {sdo}",
+                                                     "sdoname": f"{sdo}",
+                                                     "type": "Proactive Threat Hunting"})
+    except Exception as e:
+        raise DemistoException(f'Failed to create hunting session: {str(e)}') from e
+
+    return CommandResults(
+        readable_output=f"Proactive Threat Hunting Incident Created: Threat Hunting Session - {sdo}"
+    )
+
+
+def main() -> None:  # pragma: no cover
+    args = demisto.args()
+    if "indicator" not in args:
+        raise DemistoException("The automation was not executed from indicator layout")
+    try:
+        return_results(hunting_from_indicator_layout(args["indicator"].get("value")))
+
+    except Exception as e:
+        return_error(f'Failed to create hunting session: {str(e)}')
+
+
+if __name__ in ('__main__', '__builtin__', 'builtins'):
+    main()
diff --git a/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.yml b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.yml
new file mode 100644
index 000000000000..18c5a74a3dd8
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.yml
@@ -0,0 +1,22 @@
+commonfields:
+  id: HuntingFromIndicatorLayout
+  version: -1
+name: HuntingFromIndicatorLayout
+script: ''
+type: python
+tags:
+- indicator-action-button
+comment: |-
+  This automation creates an incident from the indicator layouts Malware, Campaign and Intrusion set, with the following parameters:
+  - Name: Threat Hunting Session - <Indicator Value>
+  - Type: Proactive Threat Hunting
+  - sdoname: <Indicator Value>.
+enabled: true
+scripttarget: 0
+subtype: python3
+runonce: false
+dockerimage: demisto/python3:3.10.13.80593
+runas: DBotWeakRole
+fromversion: 6.9.0
+tests:
+- No tests (auto formatted)
diff --git a/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout_test.py b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout_test.py
new file mode 100644
index 000000000000..efba633befca
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout_test.py
@@ -0,0 +1,63 @@
+import pytest
+from unittest.mock import patch
+from HuntingFromIndicatorLayout import hunting_from_indicator_layout, main
+from CommonServerPython import DemistoException  # noqa: F401
+
+
+@pytest.fixture
+def mock_executeCommand():
+    with patch('demistomock.executeCommand') as mock:
+        yield mock
+
+
+@pytest.mark.parametrize("sdo_value, expected_result",
+                         [("indicator", "Proactive Threat Hunting Incident Created: Threat Hunting Session - indicator")])
+def test_hunting_from_indicator_layout_success(mock_executeCommand, sdo_value, expected_result):
+    """
+    Given:
+        The 'mock_executeCommand' function is properly patched to mock 'demistomock.executeCommand'.
+    When:
+        The 'hunting_from_indicator_layout' function is called with the sdo_value parameter set to "indicator".
+    Then:
+        The result of 'hunting_from_indicator_layout' compared to the 'expected_results'.
+    """
+    mock_executeCommand.return_value = [{'Type': 1, 'Contents': 'Incident created successfully'}]
+
+    result = hunting_from_indicator_layout(sdo_value)
+
+    assert result.readable_output == expected_result
+
+
+def test_hunting_from_indicator_layout_failure(mock_executeCommand):
+    """
+        Given:
+            The mock_executeCommand function is properly patched to mock demistomock.executeCommand.
+        When:
+            The hunting_from_indicator_layout function is called with the sdo_value parameter set to "non_existent_indicator",
+                and the mocked executeCommand is configured to raise a DemistoException
+        Then:
+            he test is expected to raise a DemistoException with the specified message.
+    """
+    mock_executeCommand.side_effect = DemistoException("The automation was not executed from indicator layout")
+
+    with pytest.raises(DemistoException):
+        hunting_from_indicator_layout("non_existent_indicator")
+
+
+def test_main_indicator_not_in_args():
+    """
+        Given:
+            No additional setup is required.
+        When:
+            The main function is called.
+        Then:
+            The test is expected to raise a DemistoException with the message "The automation was not
+                executed from indicator layout".
+    """
+    with pytest.raises(DemistoException, match="The automation was not executed from indicator layout"):
+
+        main()
+
+
+if __name__ == '__main__':
+    pytest.main()
diff --git a/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/README.md b/Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/README.md
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting.png
new file mode 100644
index 000000000000..bd10884f2dec
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Account.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Account.png
new file mode 100644
index 000000000000..02432dc01935
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Account.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Indicators.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Indicators.png
new file mode 100644
index 000000000000..b7cf88a00172
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Indicators.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Endpoint_Isolation.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Endpoint_Isolation.png
new file mode 100644
index 000000000000..421bab08b6af
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Endpoint_Isolation.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Entity_Enrichment.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Entity_Enrichment.png
new file mode 100644
index 000000000000..8de29706af3f
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Entity_Enrichment.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Execute_Query.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Execute_Query.png
new file mode 100644
index 000000000000..74ae6bd5fb76
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Execute_Query.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Quarantine_File.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Quarantine_File.png
new file mode 100644
index 000000000000..bb10b5a96cb1
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Quarantine_File.png differ
diff --git a/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_SDO_Threat_Hunting.png b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_SDO_Threat_Hunting.png
new file mode 100644
index 000000000000..c6aed16eb06c
Binary files /dev/null and b/Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_SDO_Threat_Hunting.png differ
diff --git a/Packs/ProactiveThreatHunting/pack_metadata.json b/Packs/ProactiveThreatHunting/pack_metadata.json
new file mode 100644
index 000000000000..549e62375cf8
--- /dev/null
+++ b/Packs/ProactiveThreatHunting/pack_metadata.json
@@ -0,0 +1,65 @@
+{
+    "name": "Proactive Threat Hunting",
+    "description": "The XSOAR Threat Hunting Pack enhances analyst capabilities by leveraging threat intelligence to uncover previously undetected threats, empowering proactive identification and mitigation of potential security risks.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "videos": [
+        "https://www.youtube.com/watch?v=yHwDTXt8Vjo"
+    ],
+    "categories": [
+        "Data Enrichment & Threat Intelligence"
+    ],
+    "tags": [
+        "Use Case",
+        "Threat Intelligence"
+    ],
+    "useCases": [
+        "Hunting"
+    ],
+    "keywords": [],
+    "marketplaces": [
+        "xsoar"
+    ],
+    "dependencies": {
+        "CortexXDR": {
+            "mandatory": false,
+            "display_name": "Cortex XDR by Palo Alto Networks"
+        },
+        "FiltersAndTransformers": {
+            "mandatory": true,
+            "display_name": "Filters And Transformers"
+        },
+        "CommonTypes": {
+            "mandatory": true,
+            "display_name": "Common Types"
+        },
+        "CommonPlaybooks": {
+            "mandatory": true,
+            "display_name": "Common Playbooks"
+        },
+        "FeedLOLBAS": {
+            "mandatory": true,
+            "display_name": "LOLBAS Feed"
+        },
+        "MicrosoftDefenderAdvancedThreatProtection": {
+            "mandatory": false,
+            "display_name": "Microsoft Defender for Endpoint"
+        },
+        "FeedUnit42v2": {
+            "mandatory": false,
+            "display_name": "Feed Unit42 v2"
+        }
+    },
+    "displayedImages": [
+        "CortexXDR",
+        "FiltersAndTransformers",
+        "CommonTypes",
+        "MicrosoftDefenderAdvancedThreatProtection",
+        "LOLBASFeed",
+        "CommonPlaybooks",
+        "FeedUnit42v2"
+    ]
+}
\ No newline at end of file