{"channels":[{"browser_delivery":true,"category":"Code handoff","config":{"labels":["security-remediation","ai-agent-draft"],"required_sections":["branch_name","pr_title","pr_body","test_plan","rollback","reviewer_checklist"],"type":"draft_pr_packet"},"description":"Reviewer-ready markdown and metadata for a pull request without writing to the source host.","driver":"draft-pr","id":"draft-pr-packet","label":"Draft PR packet","requirement":"No GitHub write required. Produces branch name, PR body, tests, rollback, and reviewer checklist.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"issue_type":"Task","labels":["security-remediation","ai-agent-draft"],"repository":"owner/repo","type":"github_issue"},"description":"Creates a GitHub issue with a normalized remediation or scan handoff body.","driver":"github-issue","id":"github-issue","label":"GitHub issue","requirement":"Requires GitHub PAT or OAuth token with issues write access.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","next_steps"],"message_format":"mrkdwn","type":"slack_webhook","webhook_url":"https://hooks.slack.com/services/..."},"description":"Posts the report or remediation handoff into a Slack channel using an incoming webhook.","driver":"slack","id":"slack-webhook","label":"Slack webhook","requirement":"Requires an incoming Slack webhook URL.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"relay_url":"","subject_prefix":"[SecurityRecipes]","to":["security@example.com"],"type":"email_handoff"},"description":"Generates a browser mail draft or sends through a configured relay endpoint.","driver":"email","id":"email-handoff","label":"Email handoff","requirement":"Uses a local mailto draft, or a configured CORS-enabled email relay URL.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"base_url":"https://example.atlassian.net","issue_type":"Task","project_key":"SEC","type":"jira_issue"},"description":"Creates a Jira task with a structured remediation or scan summary.","driver":"jira","id":"jira-ticket","label":"Jira ticket","requirement":"Requires Jira base URL, account email, API token, and project key.","runtime_support":"live","status":"native"},{"browser_delivery":true,"category":"Reports and evidence","config":{"required_sections":["scope","steps","evidence","stop_conditions","rollback"],"type":"runbook_receipt"},"description":"Clipboard-friendly markdown for human execution with stop conditions and rollback.","driver":"runbook","id":"runbook-receipt","label":"Runbook receipt","requirement":"No external auth required. Produces copyable steps and evidence.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Reports and evidence","config":{"required_sections":["change_window","commands","verification","rollback"],"type":"server_runbook"},"description":"Operations-focused handoff for patching or validation during a maintenance window.","driver":"server-runbook","id":"server-runbook","label":"Server runbook","requirement":"No automatic server changes. Produces commands for a human-run maintenance window.","runtime_support":"copy_only","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","recommendation","links"],"payload_shape":"text_or_adaptive_card","type":"teams_workflows_webhook","webhook_url":"https://prod-00.westus.logic.azure.com/workflows/..."},"description":"Posts a browser-generated handoff to a Microsoft Teams channel or chat through a Workflows webhook.","driver":"teams","id":"teams-workflow-webhook","label":"Microsoft Teams workflow webhook","requirement":"Requires a Teams Workflows webhook URL. Microsoft 365 connectors are nearing deprecation, so prefer a Workflows-owned webhook.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"instance_url":"https://example.service-now.com","priority_map":{"critical":"1","high":"2","medium":"3"},"table":"incident","type":"servicenow_incident"},"description":"Creates a ServiceNow incident or task record with a normalized remediation or scan summary.","driver":"servicenow","id":"servicenow-incident","label":"ServiceNow incident","requirement":"Requires a ServiceNow instance URL, table name, and OAuth bearer token with create access to the target table.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"labels":["security-remediation","ai-agent"],"state":"Backlog","team_id":"9cfb482a-81e3-4154-b5b9-2c805e70a02d","type":"linear_issue"},"description":"Creates a Linear issue through the GraphQL API for security engineering or platform backlog handoff.","driver":"linear","id":"linear-issue","label":"Linear issue","requirement":"Requires a Linear personal API key and a target team ID.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SIEM and analytics","config":{"hec_url":"https://splunk.example.com:8088/services/collector","index":"secops","sourcetype":"securityrecipes:report","type":"splunk_hec"},"description":"Posts the normalized report bundle directly to Splunk HTTP Event Collector for SIEM or analytics use.","driver":"splunk-hec","id":"splunk-hec","label":"Splunk HEC event","requirement":"Requires a Splunk HEC URL and HEC token.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SIEM and analytics","config":{"owner":"securitySolution","space_id":"default","tags":["security-remediation","browser-agent"],"type":"elastic_security_case"},"description":"Creates an Elastic case with the generated remediation or scan summary.","driver":"elastic-case","id":"elastic-security-case","label":"Elastic Security case","requirement":"Requires a Kibana base URL and Elastic API key with Cases write access.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Incident response","config":{"dedup_key_template":"securityrecipes-{{asset_id}}-{{finding_key}}","event_action":"trigger","events_api_url":"https://events.pagerduty.com/v2/enqueue","payload_class":"security_remediation","type":"pagerduty_events_v2"},"description":"Starter browser-side route for escalating a high-confidence incident or remediation brief into PagerDuty event orchestration.","driver":"pagerduty","id":"pagerduty-events-v2","label":"PagerDuty Events API v2","requirement":"Requires a PagerDuty Events API v2 routing key or service integration configured for the target escalation path.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Collaboration","config":{"include_fields":["title","severity","scope","next_steps","links"],"type":"google_chat_webhook","webhook_url":"https://chat.googleapis.com/v1/spaces/SPACE_ID/messages?key=KEY\u0026token=TOKEN"},"description":"Starter browser-side route for posting a normalized remediation or incident brief into a Google Chat space.","driver":"google-chat","id":"google-chat-webhook","label":"Google Chat webhook","requirement":"Requires a Google Chat incoming webhook URL for the destination space.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"api_version":"7.1","base_url":"https://dev.azure.com","project":"security-platform","type":"azure_devops_work_item","work_item_type":"Issue"},"description":"Browser-side route for creating an Azure DevOps work item from a normalized remediation or scan handoff, with local preview fallback when direct delivery is blocked.","driver":"azure-devops","id":"azure-devops-work-item","label":"Azure DevOps work item","requirement":"Requires an Azure DevOps organization, project, work item type, and a PAT or bearer token with Work Items write scope.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"Ticketing","config":{"base_url":"https://gitlab.com/api/v4","issue_type":"issue","labels":["security-remediation","ai-agent"],"project":"group/project","type":"gitlab_issue"},"description":"Browser-side route for creating a GitLab issue with a normalized remediation or triage brief, with local preview fallback when direct delivery is blocked.","driver":"gitlab-issue","id":"gitlab-issue","label":"GitLab issue","requirement":"Requires a GitLab project path or ID plus a personal access token or bearer token. GitLab.com works out of the box; self-managed hosts need a browser-allowed API base URL.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"api_key_header":"Authorization","api_key_id_header":"x-xdr-auth-id","base_url":"https://xsoar.example.com/xsoar/public/v1/incident","create_investigation":true,"incident_type":"Security","include_fields":["name","type","severity","details","rawJSON"],"type":"cortex_xsoar_incident"},"description":"Browser-side route for creating a Cortex XSOAR incident from a reviewed SecurityRecipes packet, with incident-shaped payloads and local preview fallback when direct delivery is blocked.","driver":"xsoar","id":"cortex-xsoar-incident","label":"Cortex XSOAR incident","requirement":"Requires a Cortex XSOAR tenant URL or incident endpoint plus API key ID and API key with incident create access. Direct browser delivery still depends on tenant CORS and any mandatory incident fields.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"base_url":"https://soar.example.com/rest/orgs/{orgId}/incidents","handle_format":"names","incident_type_ids":[123],"type":"ibm_soar_incident"},"description":"Starter browser-side route for creating an IBM SOAR incident from a structured SecurityRecipes packet.","driver":"ibm-soar","id":"ibm-soar-incident","label":"IBM SOAR incident","requirement":"Requires an IBM SOAR organization URL and API credentials with incident create access.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"SOAR and case management","config":{"api_version":"2025-09-01","base_url":"https://management.azure.com","resource_path":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentIdentifier}/runPlaybook","type":"microsoft_sentinel_playbook"},"description":"Starter browser-side route for forwarding a reviewed packet into a Microsoft Sentinel incident playbook.","driver":"sentinel-playbook","id":"microsoft-sentinel-playbook","label":"Microsoft Sentinel playbook trigger","requirement":"Requires Azure subscription and workspace identifiers plus an OAuth token permitted to run Sentinel playbooks.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"SOAR and case management","config":{"include_fields":["title","severity","scope","report","links"],"story":"SecurityRecipes downstream orchestration","type":"tines_webhook","webhook_url":"https://tenant.tines.com/webhook/..."},"description":"Browser-side route for forwarding a reviewed SecurityRecipes packet into a Tines story or event-driven workflow, with local preview fallback when direct delivery is blocked.","driver":"tines","id":"tines-webhook","label":"Tines webhook","requirement":"Requires a Tines webhook or HTTP Request action endpoint approved for browser-triggered incident or remediation intake, with any optional auth header or custom headers configured in the browser.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"include_fields":["title","severity","scope","recommendation","artifacts"],"type":"torq_webhook","webhook_url":"https://api.torq.io/webhooks/...","workflow":"SecurityRecipes handoff"},"description":"Browser-side route for sending a reviewed remediation or incident packet into a Torq automation workflow, with local preview fallback when direct delivery is blocked.","driver":"torq","id":"torq-webhook","label":"Torq workflow webhook","requirement":"Requires a Torq webhook or API-triggered workflow endpoint plus any auth header or secret material approved for browser-side use.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"auth_header":"ph-auth-token","base_url":"https://phantom.example.com/rest/container","container_type":"case","include_fields":["name","label","description","severity","sensitivity","source_data_identifier","data"],"label":"events","type":"splunk_soar_container"},"description":"Browser-side route for creating a Splunk SOAR container from a reviewed SecurityRecipes packet, with container-shaped payloads and local preview fallback when direct delivery is blocked.","driver":"splunk-soar","id":"splunk-soar-incident","label":"Splunk SOAR incident","requirement":"Requires a Splunk SOAR or Phantom tenant URL or /rest/container endpoint plus a ph-auth-token for an automation user with container create access. Direct browser delivery still depends on tenant CORS and label permissions.","runtime_support":"live_or_copy","status":"native"},{"browser_delivery":true,"category":"SOAR and case management","config":{"app":"Security Cases","base_url":"https://swimlane.example.com/api","record_type":"case","type":"swimlane_record"},"description":"Starter browser-side route for creating a Swimlane case or work item from a reviewed SecurityRecipes packet.","driver":"swimlane","id":"swimlane-case","label":"Swimlane case","requirement":"Requires a Swimlane environment URL, app identifier, and API token with record create access for the target case app.","runtime_support":"planned","status":"template"},{"browser_delivery":true,"category":"Custom integrations","config":{"headers":{"Content-Type":"application/json"},"method":"POST","type":"generic_webhook","url":"https://example.internal/hooks/security-recipes"},"description":"Posts the full SecurityRecipes delivery envelope to a custom SOAR, queue, or workflow endpoint.","driver":"generic-webhook","id":"generic-webhook","label":"Generic webhook","requirement":"Requires a browser-reachable webhook URL and any required headers or bearer token.","runtime_support":"live_or_copy","status":"native"}]}