Cortex XDR - First SSO Access Deprecated
Deprecated. Use `Cortex XDR - Identity Analytics` instead. Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization. The playbook executes the following: - IP and User Enrichment. - User Investigation - Using 'User Investigation - Generic' sub-playbook. - Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook. - Response based on the verdict. The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.
Cortex XDR by Palo Alto Networks · 40 tasks · 25 inputs · 0 outputs
Inputs
AutomaticallyIsolateEndpoint— Whether to isolate the endpoint automatically.XDRRelatedAlertsThreshold— This is the minimum threshold for XDR related alerts based on user activity to identify suspicious activity. example: If this input is set to '3', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 4 XDR related alerts - It will classify this check as suspicious activity. The default value is '3'.FailedlogonUserThreshold— This is the minimum threshold for failed login attempts by the user. example: If this input is set to '30', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 31 failed login attempts - It will classify this check as suspicious activity. The default value is '30'.FailedlogonFromASNThreshold— This is the minimum threshold for failed login attempts from ASN. example: If this input is set to '20', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 21 failed login attempts from ASN - It will classify this check as suspicious activity. The default value is '20'.EndpointID— XDR Endpoint ID.Username— User name.IPAddress— IP Address from the XDR Alert.LoginCountry— The country from which the user logged in.AutomaticallyBlockAccount— Whether to block the account automatically.ContactUserManager— Whether to ask the user manager for the legitimacy of the login events, in case of a user logged in from an unusual country.AlertName— Alert Name.MaliciousVerdictThreshold— The 'Malicious verdict' threshold to determine a malicious verdict. The default value is '2'. Should be Greater than the "SuspiciousVerdictThreshold" input.SuspiciousVerdictThreshold— The 'Suspicious verdict' threshold to determine a suspicious verdict. The default value is '1'. Should be lower than the "MaliciousVerdictThreshold" input.SplunkIndex— Splunk's index name in which to search. Default is "*" - All.SplunkEarliestTime— The earliest time for the Splunk search query.SplunkLatestTime— The latest time for the Splunk search query.QRadarSearchTime— The Search Time for the QRadar search query. for example: Last 1 daysAzureSearchTime— The Search Time for the Azure Log Analytics search query. for example: ago(1d)SIEMFailedLogonSearch— Whether to search for failed logon logs from Siem? Can be False or True.ThreatLogSearch— Whether to search for threat logs from PAN-OS? Can be False or True.XDRAlertSearch— Whether to search for Related alerts from XDR? Can be False or True.OktaSearch— Whether to search for logs from Okta? Can be False or True.XDRUsernameField— Cortex XDR User name Field.AutomaticallyClearSessions— Whether to clear all the user sessions automatically. Can be used in conjunction with the ForceClearSessionsForHighRiskUsers input.ForceClearSessionsForHighRiskUsers— Whether to clear user sessions regardless of the AutomaticallyClearSessions input for users with High risk. Users receive their risk level based on Cortex XDR's ITDR module. The risks can be: - LOW - MED - HIGH Setting this to True will automatically clear the user sessions in Okta if the user has a high risk. Setting this and the AutomaticallyClearSessions inputs to False, will prompt the analyst to take action manually even if the user has a high risk associated with it.
Commands used
ip
okta-clear-user-sessions
setIncident
xdr-endpoint-isolate